Remote Code Execution vulnerability

Question

Remote Code Execution vulnerability

vvanmol opened this issue 4 years ago · 7 comments

Hello,

I haven't seen any open issue about this so I'm creating this ticket, but Snyk reported a vulnerability about this package.
Please find more details about it here: https://snyk.io/vuln/SNYK-JS-LOCUTUS-575119

Answer 1 · 2020-09-18T14:10:33.000Z

Is this the issue that needs fixing? #395

Answer 2 · 2020-09-18T14:29:09.000Z

Seems to be related to the same function, but not the same issue. Here it's about sanitizing two single quotes characters as explained in this Blog post: https://reallinkers.github.io/CVE-2020-13619/

The following code seems to exploit the vulnerability (taken from the node sample in the blog post above):

var phpExec = require('locutus/php/exec');
var child = require('child_process');

var directory = "/home'; whoami;''"
var command = "ls -la " + phpExec.escapeshellarg(directory);
console.log(command);

child.exec(command, function (error,stdout,stderr) {
	console.log(stdout);
	console.log(stderr);
});

Answer 3 · 2020-09-22T01:33:46.000Z

here is how i would implement it personally,

function escapeshellarg(arg){
  if(arg.indexOf("\x00") !== -1) {
    throw new Error('escapeshellarg(): Argument #1 ($arg) must not contain any null bytes');
  }
  return "'"+arg.replace(/\'/g,'\'\\\'\'')+"'";
}

for one, it's much closer to how PHP's escapeshellarg() works, and second, it's not vulnerable to the above shell execution exploit, correctly generating the command

$ ls -la '/home'\''; whoami;'\'''\'''
ls: cannot access '/home'\''; whoami;'\'''\''': No such file or directory

$ ls -la ' starts the quote, /home' ends the quote, \' adds an escaped quote, ' starts the quote, ; whoami;' ends the quote, \' adds an escaped quote, ' starts the quote, ' ends the quote, \' adds an escaped quote, and ' starts the last quote required to make the always-appended last ' correctly end the quote :)

(it's technically possible to create a smaller command with the same data, \'\' and ''\'''\''' compiles to the exact same string, but given the security-sensitive aspect if we get the optimization wrong, and the fact that even the php core developers didn't try to optimize this part, we probably shouldn't try to do that either.)

Answer 4 · 2020-09-22T02:01:17.000Z

proposed a fix in #426

Answer 5 · 2020-10-02T01:25:55.000Z

uhm.. guys? can i get some feedback? (the PR has been completely silent for 10 days now~)

Answer 6 · 2020-10-02T06:23:57.000Z

Hi @divinity76

Your solution seems to be good, and you confirmed it fixes the vulnerability. Not sure I can do anything from my side, but waiting for maintainers...

Answer 7 · 2020-10-02T06:59:36.000Z

Thank you! Merged and released as locutus@2.0.13