Fix Arbitary Code Execution

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-git-stats

⚙️ Description *

git-stats is a js package for local git statistics including GitHub-like contributions calendars.

Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in any of the options.start or options.end values, using the authors() function.

💻 Technical Description *

git-stats appends user input into Gry to run git commands without sanitization, Gry v6.0.0 has been fixed to avoid RCE so package.json was update to use this and code was updated accordingly.

A PR was submited to Gry since stdout was being ignored by default making authors() inoperant until this PR is merged, Merged and fixed in Gry v6.1.0

🐛 Proof of Concept (PoC) *

Download the package and run the below code:

var GitStats = require("./lib");
var g1 = new GitStats();
g1.authors({
    start: ' " ;touch HACKED; #//',
    end: 'endstring'
}, (resp, pieData) => {
    console.log("Done!");
});

It will create a files named HACKED in the working directory.

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally and dates can be filtered correctly

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord