-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote Code Execution vulnerability #420
Comments
Is this the issue that needs fixing? #395 |
Seems to be related to the same function, but not the same issue. Here it's about sanitizing two single quotes characters as explained in this Blog post: https://reallinkers.github.io/CVE-2020-13619/ The following code seems to exploit the vulnerability (taken from the node sample in the blog post above): var phpExec = require('locutus/php/exec');
var child = require('child_process');
var directory = "/home'; whoami;''"
var command = "ls -la " + phpExec.escapeshellarg(directory);
console.log(command);
child.exec(command, function (error,stdout,stderr) {
console.log(stdout);
console.log(stderr);
}); |
here is how i would implement it personally, function escapeshellarg(arg){
if(arg.indexOf("\x00") !== -1) {
throw new Error('escapeshellarg(): Argument #1 ($arg) must not contain any null bytes');
}
return "'"+arg.replace(/\'/g,'\'\\\'\'')+"'";
} for one, it's much closer to how PHP's escapeshellarg() works, and second, it's not vulnerable to the above shell execution exploit, correctly generating the command
(it's technically possible to create a smaller command with the same data, |
proposed a fix in #426 |
uhm.. guys? can i get some feedback? (the PR has been completely silent for 10 days now~) |
Hi @divinity76 Your solution seems to be good, and you confirmed it fixes the vulnerability. Not sure I can do anything from my side, but waiting for maintainers... |
* patch CVE-2020-13619 fixes #420 * formatting missing a space if nothing else * add bufix sample & credits * update example 2 * forgot escapeshellarg() in example2
Thank you! Merged and released as locutus@2.0.13 |
Hello,
I haven't seen any open issue about this so I'm creating this ticket, but Snyk reported a vulnerability about this package.
Please find more details about it here: https://snyk.io/vuln/SNYK-JS-LOCUTUS-575119
The text was updated successfully, but these errors were encountered: