Remote Code Execution vulnerability #420
Comments
|
Is this the issue that needs fixing? #395 |
|
Seems to be related to the same function, but not the same issue. Here it's about sanitizing two single quotes characters as explained in this Blog post: https://reallinkers.github.io/CVE-2020-13619/ The following code seems to exploit the vulnerability (taken from the node sample in the blog post above): var phpExec = require('locutus/php/exec');
var child = require('child_process');
var directory = "/home'; whoami;''"
var command = "ls -la " + phpExec.escapeshellarg(directory);
console.log(command);
child.exec(command, function (error,stdout,stderr) {
console.log(stdout);
console.log(stderr);
}); |
|
here is how i would implement it personally, function escapeshellarg(arg){
if(arg.indexOf("\x00") !== -1) {
throw new Error('escapeshellarg(): Argument #1 ($arg) must not contain any null bytes');
}
return "'"+arg.replace(/\'/g,'\'\\\'\'')+"'";
}for one, it's much closer to how PHP's escapeshellarg() works, and second, it's not vulnerable to the above shell execution exploit, correctly generating the command
(it's technically possible to create a smaller command with the same data, |
|
proposed a fix in #426 |
|
uhm.. guys? can i get some feedback? (the PR has been completely silent for 10 days now~) |
|
Hi @divinity76 Your solution seems to be good, and you confirmed it fixes the vulnerability. Not sure I can do anything from my side, but waiting for maintainers... |
* patch CVE-2020-13619 fixes #420 * formatting missing a space if nothing else * add bufix sample & credits * update example 2 * forgot escapeshellarg() in example2
|
Thank you! Merged and released as locutus@2.0.13 |
Hello,
I haven't seen any open issue about this so I'm creating this ticket, but Snyk reported a vulnerability about this package.
Please find more details about it here: https://snyk.io/vuln/SNYK-JS-LOCUTUS-575119
The text was updated successfully, but these errors were encountered: