Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/git-stats/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-git-stats

⚙️ Description *

git-stats is a js package for local git statistics including GitHub-like contributions calendars.

Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in any of the options.start or options.end values, using the authors() function.

💻 Technical Description *

git-stats appends user input into Gry to run git commands without sanitization, Gry v6.0.0 has been fixed to avoid RCE so package.json was update to use this and code was updated accordingly.

A PR was submited to Gry since stdout was being ignored by default making authors() inoperant until this PR is merged, Merged and fixed in Gry v6.1.0

🐛 Proof of Concept (PoC) *

Download the package and run the below code:

var GitStats = require("./lib");
var g1 = new GitStats();
g1.authors({
    start: ' " ;touch HACKED; #//',
    end: 'endstring'
}, (resp, pieData) => {
    console.log("Done!");
});

It will create a files named HACKED in the working directory.

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally and dates can be filtered correctly

[JamieSlome]

@IonicaBizau - let me know if you have any questions - here to help! 🍰