Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

package is signed as high severity vulnerability from npm #2

Closed
gchiocchio opened this issue Feb 21, 2019 · 9 comments
Closed

package is signed as high severity vulnerability from npm #2

gchiocchio opened this issue Feb 21, 2019 · 9 comments

Comments

@gchiocchio
Copy link

package is signed as high severity vulnerability from npm

https://nodesecurity.io/advisories/784
@Zorono
Copy link

Zorono commented Oct 22, 2019

image
i agree with you...

@SunilWang
Copy link
Owner

SunilWang commented Oct 25, 2019
edited
Loading

fix done!

https://www.npmjs.com/package/node-os-utils

npm install node-os-utils@1.1.0

@rdimascio
Copy link

Seems like this hasn't been fixed yet

https://www.npmjs.com/advisories/784

@SunilWang
Copy link
Owner

@rdimascio
already modified once, I don't know where there will be risks.
已经修改过一次,我不知道哪里会有风险。

because call system commands?
是因为调用系统命令?

@peterkingsbury
Copy link

peterkingsbury commented Dec 26, 2019
edited
Loading

Could it work to contact the individual who reported the incident? He may have specifics that you can react to. The advisory site https://www.npmjs.com/advisories/784 links his homepage, where there is email for him to be contacted.

Because node-os-utils fails npm audit, and passing npm audit is part of our build pipeline, we can't use it any longer.

@SunilWang
Copy link
Owner

@peterkingsbury
Email sent, waiting for reply,Thanks for feedback.

@stats stats mentioned this issue Jan 5, 2020
Closed
@SunilWang
Copy link
Owner

@peterkingsbury @rdimascio @Zorono @gchiocchio

https://www.npmjs.com/advisories/784

Overview
Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution.

Remediation
Upgrade to version 1.1.0 or later

Thank you all,
Latest version 1.2.1

@franktip
Copy link

Hello, sorry for the delayed response. The following code snippet demonstrates the vulnerability in the version that I originally examined:

done = function done(){
console.log("Done!");
};

var DUMMY_FILE = './xyzzy';

var command = "$(touch " + DUMMY_FILE + ")";

function dummySource(val){
command += val;
}

dummySource(' ');

var nodeosutils = require('node-os-utils')
var exec = nodeosutils.exec;
exec(command)();

done();

executing this code resulted in the creation of a file "xyzzy" due to the execution of an injected command.

@franktip
Copy link

I just tried running this code with the current version of node-os-utils, and the vulnerability appears to have been eliminated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peterkingsbury @franktip @SunilWang @rdimascio @gchiocchio @Zorono