Second order command injection¶

ID: js/second-order-command-line-injection Kind: path-problem Security severity: 7.0 Severity: error Precision: high Tags: - correctness - security - external/cwe/cwe-078 - external/cwe/cwe-088 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls 

Click to see the query in the CodeQL repository

Some shell commands, like gitls-remote, can execute arbitrary commands if a user provides a malicious URL that starts with --upload-pack. This can be used to execute arbitrary code on the server.

Recommendation¶

Sanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.

Example¶

The following example shows code that executes gitls-remote on a URL that can be controlled by a malicious user.

constexpress=require("express");constapp=express();constcp=require("child_process");app.get("/ls-remote",(req,res)=>{constremote=req.query.remote;cp.execFile("git",["ls-remote",remote]);// NOT OK});

The problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.

constexpress=require("express");constapp=express();constcp=require("child_process");app.get("/ls-remote",(req,res)=>{constremote=req.query.remote;if(!(remote.startsWith("git@")||remote.startsWith("https://"))){thrownewError("Invalid remote: "+remote);}cp.execFile("git",["ls-remote",remote]);// OK});

References¶

Max Justicz: Hacking 3,000,000 apps at once through CocoaPods.
Git: Git - git-ls-remote Documentation.
OWASP: Command Injection.
Common Weakness Enumeration: CWE-78.
Common Weakness Enumeration: CWE-88.

© GitHub, Inc.
Terms
Privacy