GHSA-fm76-w8jw-xf8m: @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source
When creating a new plugin using the git source, the user-controlled value req.body.name is used to build the plugin directory where the location will be cloned. The API used to execute the git clone command with the user-controlled data is child_process.execSync. Since the user-controlled data is not validated, a user with admin permission can add escaping characters and execute arbitrary commands, leading to a command injection vulnerability.
References
- github.com/advisories/GHSA-fm76-w8jw-xf8m
- github.com/saltcorn/saltcorn
- github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js
- github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js
- github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts
- github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js
- github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js
- github.com/saltcorn/saltcorn/commit/024f19a7e079913f62f4a2335ab04116ddb68192
- github.com/saltcorn/saltcorn/security/advisories/GHSA-fm76-w8jw-xf8m
Code Behaviors & Features
Detect and mitigate GHSA-fm76-w8jw-xf8m with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →