🦄 Node.js Security

~ 2 min read

Argument Injection Vulnerability in ggit

share on
A security disclosure details an Argument Injection vulnerability in the `ggit` npm package version `2.4.12` and earlier. Let's break down the issue and how to address it.

The reported security disclosure details an Argument Injection vulnerability in the ggit npm package version 2.4.12 and earlier. Let’s break down the issue and how to address it.

Let’s breakdown the Argument Injection vulnerability in ggit:

  • Affected Function: The vulnerability exists in the clone function of ggit.
  • Input Validation Issue: The function doesn’t properly validate or sanitize user-provided input, particularly the url parameter.
  • Missing Flag Separation: The library doesn’t use the -- flag to separate command-line options from arguments passed to the git binary.
  • Exploitable Option: The --upload-pack option in the Git command allows specifying a custom command to execute on the remote server. However, in this case, it’s being used to inject arbitrary commands on the user’s machine.

Exploit Scenario

The provided Proof-of-Concept (POC) code demonstrates how an attacker can exploit this vulnerability:

  • The attacker provides a malicious URL that includes the --upload-pack option followed by a command to create a file named pwned in the /tmp directory.
  • Since the library doesn’t properly handle the URL, the entire string is passed to the git binary as a single argument.
  • The --upload-pack option is interpreted by the git binary, and the subsequent command to create the file is executed on the user’s machine.

Vulnerable Code and Argument Injection Exploit

  1. Install ggit@2.4.12 or earlier

  2. Establish the following POC:

const clone = require("ggit").cloneRepo;


clone({
    url: "--upload-pack=$(touch /tmp/pwned)",
    folder: "/tmp/dbd",
}).then(function () {
    console.log("cloned repo to destination folder");
});

đź‘‹ Just a quick break

I'm Liran Tal and I'm the author of the newest series of expert Node.js Secure Coding books. Check it out and level up your JavaScript

Node.js Secure Coding: Defending Against Command Injection Vulnerabilities
Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities

Impact

This vulnerability can allow attackers to execute arbitrary commands on a user’s system with the privileges of the user running the ggit library. This could lead to data theft, system compromise, or other malicious activities.

Conclusion

Argument Injection vulnerabilities can be serious security risks. It’s crucial to keep software libraries updated and to validate user input whenever possible to prevent such attacks. By following these recommendations, you can help mitigate the risk associated with this vulnerability in ggit.

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit