Fixed Remote Code Execution vulnerability

[d3m0n-r00t]

Description

Affected versions of this package are vulnerable to Arbitrary Code Injection. It can be used with options to overwrite the default executable/binary path and its arguments. An attacker can abuse this functionality to execute arbitrary code.

Bug reference: https://snyk.io/vuln/SNYK-JS-WIFISCANNER-574786

Proof-Of-Concept

Proof of concept is from the Github Issue #1

let wifiscanner = require("wifiscanner");
let options = {
args: ";/bin/touch /tmp/exploit.txt;#"
}
let scanner = wifiscanner(options);
scanner.scan(function(error, networks){});

Proof-Of-Fix

Fixed Code execution vulnerability by using safer execFile function in place of exec.
Run the poc.js again and no more code execution.

[codecov-commenter]

Codecov Report

❗ No coverage uploaded for pull request base (master@db19462). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             master        #2   +/-   ##
==========================================
  Coverage          ?   100.00%           
==========================================
  Files             ?         6           
  Lines             ?       136           
  Branches          ?        18           
==========================================
  Hits              ?       136           
  Misses            ?         0           
  Partials          ?         0           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update db19462...6079351. Read the comment docs.