Headline
GHSA-fm76-w8jw-xf8m: @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source
Summary
When creating a new plugin using the git source, the user-controlled value req.body.name is used to build the plugin directory where the location will be cloned. The API used to execute the git clone command with the user-controlled data is child_process.execSync. Since the user-controlled data is not validated, a user with admin permission can add escaping characters and execute arbitrary commands, leading to a command injection vulnerability.
Details
Relevant code from source (req.body) to sink (child_process.execSync).
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400
router.post(
"/",
isAdmin,
error_catcher(async (req, res) => {
const plugin = new Plugin(req.body); // [1]
[...]
try {
await load_plugins.loadAndSaveNewPlugin( // [3]
plugin,
schema === db.connectObj.default_schema || plugin.source === "github"
);
[...]
}
})
);
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44
class Plugin {
[...]
constructor(o: PluginCfg | PluginPack | Plugin) {
[...]
this.name = o.name; // [2]
[...]
}
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65
const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => {
[...]
const loader = new PluginInstaller(plugin); // [4]
const res = await loader.install(force); // [7]
[...]
};
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61
class PluginInstaller {
constructor(plugin, opts = {}) {
[...]
const tokens =
plugin.source === "npm"
? plugin.location.split("/")
: plugin.name.split("/"); // [5]
[...]
this.tempDir = join(this.tempRootFolder, "temp_install", ...tokens); // [6]
[...]
}
async install(force) {
[...]
if (await this.prepPluginsFolder(force, pckJSON)) { // [8]
[...]
}
async prepPluginsFolder(force, pckJSON) {
[...]
switch (this.plugin.source) {
[...]
case "git":
if (force || !(await pathExists(this.pluginDir))) {
await gitPullOrClone(this.plugin, this.tempDir); // [9]
[...]
}
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112
const gitPullOrClone = async (plugin, pluginDir) => {
[...]
if (fs.existsSync(pluginDir)) {
execSync(`git ${setKey} -C ${pluginDir} pull`);
} else {
execSync(`git ${setKey} clone ${plugin.location} ${pluginDir}`); // [10]
}
[...]
};
PoC
- check that the file will be created by the command
echo "hello">/tmp/HACKEDdoes not exists:
cat /tmp/HACKED
cat: /tmp/HACKED: No such file or directory
- login with an admin account
- visit
http://localhost:3000/plugins/new - enter the following fields:
- Name:
;echo "hello">/tmp/HACKED - Source:
git - other fields blank
- Name:
- click
Create - you will get an error saying
ENOENT: no such file or directory, ....but the commandtouch /tmp/HACKEDwill be executed - to verify:
cat /tmp/HACKED
hello
Impact
Remote code execution
Recommended Mitigation
Sanitize the pluginDir value before passing to execSync. Alternatively, use child_process. execFileSync API (docs: https://nodejs.org/api/child_process.html#child_processexecfilesyncfile-args-options)
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-fm76-w8jw-xf8m
@saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source
High severity GitHub Reviewed Published Oct 3, 2024 in saltcorn/saltcorn • Updated Oct 3, 2024
Package
npm @saltcorn/plugins-loader (npm)
Affected versions
<= 1.0.0-beta.13
Patched versions
1.0.0-beta.14
Summary
When creating a new plugin using the git source, the user-controlled value req.body.name is used to build the plugin directory where the location will be cloned. The API used to execute the git clone command with the user-controlled data is child_process.execSync. Since the user-controlled data is not validated, a user with admin permission can add escaping characters and execute arbitrary commands, leading to a command injection vulnerability.
Details
Relevant code from source (req.body) to sink (child_process.execSync).
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400
router.post( "/", isAdmin, error_catcher(async (req, res) => { const plugin = new Plugin(req.body); // [1] […] try { await load_plugins.loadAndSaveNewPlugin( // [3] plugin, schema === db.connectObj.default_schema || plugin.source === “github” ); […] } }) );
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44
class Plugin { […] constructor(o: PluginCfg | PluginPack | Plugin) { […] this.name = o.name; // [2] […] }
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65
const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => { […] const loader = new PluginInstaller(plugin); // [4] const res = await loader.install(force); // [7] […] };
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61
class PluginInstaller { constructor(plugin, opts = {}) { […] const tokens = plugin.source === “npm” ? plugin.location.split(“/”) : plugin.name.split(“/”); // [5] […] this.tempDir = join(this.tempRootFolder, "temp_install", …tokens); // [6] […] }
async install(force) { […] if (await this.prepPluginsFolder(force, pckJSON)) { // [8] […] }
async prepPluginsFolder(force, pckJSON) { […] switch (this.plugin.source) { […] case "git": if (force || !(await pathExists(this.pluginDir))) { await gitPullOrClone(this.plugin, this.tempDir); // [9] […] }
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112
const gitPullOrClone = async (plugin, pluginDir) => { […] if (fs.existsSync(pluginDir)) { execSync(`git ${setKey} -C ${pluginDir} pull`); } else { execSync(`git ${setKey} clone ${plugin.location} ${pluginDir}`); // [10] } […] };
PoC
check that the file will be created by the command echo "hello">/tmp/HACKED does not exists:
cat /tmp/HACKED cat: /tmp/HACKED: No such file or directory
login with an admin account
visit http://localhost:3000/plugins/new
enter the following fields:
- Name: ;echo "hello">/tmp/HACKED
- Source: git
- other fields blank
click Create
you will get an error saying ENOENT: no such file or directory, … but the command touch /tmp/HACKED will be executed
to verify:
cat /tmp/HACKED hello
Impact
Remote code execution
Recommended Mitigation
Sanitize the pluginDir value before passing to execSync. Alternatively, use child_process. execFileSync API (docs: https://nodejs.org/api/child_process.html#child_processexecfilesyncfile-args-options)
References
- GHSA-fm76-w8jw-xf8m
- saltcorn/saltcorn@024f19a
- https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112
- https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61
- https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44
- https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65
- https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400
Published to the GitHub Advisory Database
Oct 3, 2024