blamer@0.1.2 vulnerabilities

blamer is a tool for getting information about author of code from version control system

  • latest version

    1.0.6

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    1 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the blamer package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Arbitrary Argument Injection

    blamer is a tool for get information about author of code from version control system. Supports git and subversion.

    Affected versions of this package are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

    How to fix Arbitrary Argument Injection?

    Upgrade blamer to version 1.0.4 or higher.

    <1.0.4
    • M
    Command Injection

    blamer is a tool for get information about author of code from version control system. Supports git and subversion.

    Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to blamer.

    PoC

    var Root = require("blamer");
    var attack_command = "& touch vulnerable &";
    root = new Root('git',attack_command);
    root.blameByFile("./");
    

    How to fix Command Injection?

    Upgrade blamer to version 1.0.1 or higher.

    <1.0.1