Command Injection Affecting freespace package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-FREESPACE-1018705
- published 15 Oct 2020
- disclosed 14 Oct 2020
- credit ansuj
How to fix?
There is no fixed version for freespace.
Overview
freespace is an A library that tells you how much free disk space you have
Affected versions of this package are vulnerable to Command Injection. The library offers a function that allows a developer to pass in a disk-label (Windows) or a mount-point (Linux) and returns space details about the same. However, due to lack of proper sanitization of the parameter to that function, injection of multiple commands using delimiters such as ; and && will cause the shell to interpret and execute each command between those characters. This code is vulnerable on the Unix platform and not on Windows. The Windows variant also directly uses the input without sanitization, however, uses only the first character of the input parameter, which prevents injection.
PoC
const freespace = require('freespace');
freespace.check('/ ; touch /tmp/semicolon_file')
.then(bytes => {
console.log(bytes);
});
freespace.check('/ && touch /tmp/ampersand_file')
.then(bytes => {
console.log(bytes);
});