Security Fix for RCE on "gitlogplus" - huntr.dev

[huntr-helper]

https://huntr.dev/users/Asjidkalam has fixed the RCE on "gitlogplus" vulnerability 🔨. Asjidkalam has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/gitlogplus/1/README.md

User Comments:

📊 Metadata *

Code execution vulnerability

Bounty URL: https://www.huntr.dev/bounties/1-npm-gitlogplus

⚙️ Description *

The gitlogplus module is vulnerable against an arbitrary command injection issue which is made possible since some user-inputs are executed inside a command which doesn't have validations of any kind. The argument options can be controlled by users without any sanitization. It was using exec() & execSync() function which is vulnerable to Command Injection if it accepts user input and it goes through any sanitization or escaping.

💻 Technical Description *

The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. I replaced it with execFile() and execFileSync which mitigates any possible Command Injections as it accepts input as arrays.

🐛 Proof of Concept (PoC) *

Install the package and run the below code:

var git = require('gitlogplus');
git({repo:'.', number:'eeee; touch HACKED; #'})

A file named HACKED will be created in the current working directory.

🔥 Proof of Fix (PoF) *

After applying the fix, run the PoC again and no files will be created. Hence command injection is mitigated.

👍 User Acceptance Testing (UAT)

Only execFile and execFileSync is used, no breaking changes introduced.

[hipstersmoothie]

🚀 PR was released in v4.0.1 🚀