Fixed code execution on git-commit-range

[Asjidkalam]

📊 Metadata *

Remote code execution vulnerability fixed.

Bounty URL: https://www.huntr.dev/app/bounties/open/1-npm-node-git-commit-range

⚙️ Description *

Fixed the code execution by escaping the shell argument using the shell-escape library.

💻 Technical Description *

shell-escape is used to escape and stringify an array of arguments to be executed on the shell. There were multiple instances on the index.js in which the user-supplied input is concatenated into command strings, unsanitized, which is then passed to execa.shellSync() which triggers the code execution. This is mitigated using the shell-escape library.

🐛 Proof of Concept (PoC) *

Create a project with a vulnerable package and run the following snippet, the code executed will create a file named hacked in the working directory with the system uname.

const gitCommitRange = require('git-commit-range');

gitCommitRange(); 

gitCommitRange({
  path: '.; whoami > hacked',
  from: '15be93c31ad87c9ced03ba0b60fc2fb55c977c5c',
  to: '32b940b014322834966d79b109d2d7adec8e3ea3',
  include: false,
});

🔥 Proof of Fix (PoF) *

After applying the fix, the escape-shell module properly sanitizes the user-supplied information before passing into the execa.shellSync(). and the whoami command is no more executed. Hence no file is created and code execution is mitigated.

:)

[mufeedvh]

[Mik317]

LGTM 😄 🎉

Cheers,
Mik

[huntr-helper]

Congratulations Asjidkalam - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!