Remote command execution In protobufjs-cli
Description
protobuf.js is Vulnerable to OS Command Injection in the CLI
Summary
pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
Impact
An attacker who can control file names or paths passed to pbts may be able to execute arbitrary shell commands with the privileges of the process running pbts.
This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.
Preconditions
The application or user must invoke pbts on file paths influenced by an attacker.
The attacker must be able to supply or create a path containing shell-significant characters.
The vulnerable pbts version must execute the generated JSDoc command through a shell.
Workarounds
Do not run affected versions of pbts on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking pbts, or run the CLI in an isolated environment with minimal privileges.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 1.2.1, 2.0.2 |
Aliases
References