Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mbTc2LXc4ancteGY4bc4AA_8h

@saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source

Summary

When creating a new plugin using the git source, the user-controlled value req.body.name is used to build the plugin directory where the location will be cloned. The API used to execute the git clone command with the user-controlled data is child_process.execSync. Since the user-controlled data is not validated, a user with admin permission can add escaping characters and execute arbitrary commands, leading to a command injection vulnerability.

Details

Relevant code from source (req.body) to sink (child_process.execSync).

router.post(
  "/",
  isAdmin,
  error_catcher(async (req, res) => {
    const plugin = new Plugin(req.body); // [1] 
      [...]
      try {
        await load_plugins.loadAndSaveNewPlugin( // [3] 
          plugin,
          schema === db.connectObj.default_schema || plugin.source === "github"
        );
        [...]
    }
  })
);

class Plugin {
  [...]
  constructor(o: PluginCfg | PluginPack | Plugin) {
    [...]
    this.name = o.name; // [2] 
    [...]
}

const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => {
  [...]
  const loader = new PluginInstaller(plugin); // [4] 
  const res = await loader.install(force); // [7] 
  [...]
};

class PluginInstaller {
  constructor(plugin, opts = {}) {
    [...]
    const tokens =
      plugin.source === "npm"
        ? plugin.location.split("/")
        : plugin.name.split("/"); // [5] 
    [...]
    this.tempDir = join(this.tempRootFolder, "temp_install", ...tokens); // [6] 
    [...]
  }

  
  async install(force) {
    [...]
    if (await this.prepPluginsFolder(force, pckJSON)) { // [8] 
    [...]
  }

  async prepPluginsFolder(force, pckJSON) {
    [...]
    switch (this.plugin.source) {
      [...]
      case "git":
        if (force || !(await pathExists(this.pluginDir))) { 
          await gitPullOrClone(this.plugin, this.tempDir); // [9] 
	  [...]
  }

const gitPullOrClone = async (plugin, pluginDir) => {
  [...]
  if (fs.existsSync(pluginDir)) {
    execSync(`git ${setKey} -C ${pluginDir} pull`);
  } else {
    execSync(`git ${setKey} clone ${plugin.location} ${pluginDir}`); // [10] 
  }
  [...]
};

PoC

cat /tmp/HACKED
cat: /tmp/HACKED: No such file or directory

cat /tmp/HACKED
hello

Impact

Remote code execution

Recommended Mitigation

Sanitize the pluginDir value before passing to execSync. Alternatively, use child_process. execFileSync API (docs: https://nodejs.org/api/child_process.html#child_processexecfilesyncfile-args-options)

Permalink: https://github.com/advisories/GHSA-fm76-w8jw-xf8m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mbTc2LXc4ancteGY4bc4AA_8h
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 14 days ago
Updated: 14 days ago


CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-fm76-w8jw-xf8m
References: Repository: https://github.com/saltcorn/saltcorn
Blast Radius: 1.0

Affected Packages

npm:@saltcorn/plugins-loader
Dependent packages: 0
Dependent repositories: 0
Downloads: 1,936 last month
Affected Version Ranges: <= 1.0.0-beta.13
Fixed in: 1.0.0-beta.14
All affected versions: 0.9.5, 0.9.6, 0.9.7, 0.9.8, 1.0.0-beta.0, 1.0.0-beta.1, 1.0.0-beta.2, 1.0.0-beta.3, 1.0.0-beta.4, 1.0.0-beta.5, 1.0.0-beta.6, 1.0.0-beta.7, 1.0.0-beta.8, 1.0.0-beta.9, 1.0.0-beta.10, 1.0.0-beta.11, 1.0.0-beta.13
All unaffected versions: