7.2

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-fm76-w8jw-xf8m

EPSS Score

CWE

CWE-78

Published

10/3/2024

Updated

10/4/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-fm76-w8jw-xf8m

GHSA-fm76-w8jw-xf8m: @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source

Summary

When creating a new plugin using the git source, the user-controlled value req.body.name is used to build the plugin directory where the location will be cloned. The API used to execute the git clone command with the user-controlled data is child_process.execSync. Since the user-controlled data is not validated, a user with admin permission can add escaping characters and execute arbitrary commands, leading to a command injection vulnerability.

Details

Relevant code from source (req.body) to sink (child_process.execSync).

file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/plugins.js#L1400

router.post(
  "/",
  isAdmin,
  error_catcher(async (req, res) => {
    const plugin = new Plugin(req.body); // [1] 
      [...]
      try {
        await load_plugins.loadAndSaveNewPlugin( // [3] 
          plugin,
          schema === db.connectObj.default_schema || plugin.source === "github"
        );
        [...]
    }
  })
);

file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/saltcorn-data/models/plugin.ts#L44

class Plugin {
  [...]
  constructor(o: PluginCfg | PluginPack | Plugin) {
    [...]
    this.name = o.name; // [2] 
    [...]
}

file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/load_plugins.js#L64-L65

const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => {
  [...]
  const loader = new PluginInstaller(plugin); // [4] 
  const res = await loader.install(force); // [7] 
  [...]
};

file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L41-L61

class PluginInstaller {
  constructor(plugin, opts = {}) {
    [...]
    const tokens =
      plugin.source === "npm"
        ? plugin.location.split("/")
        : plugin.name.split("/"); // [5] 
    [...]
    this.tempDir = join(this.tempRootFolder, "temp_install", ...tokens); // [6] 
    [...]
  }

  
  async install(force) {
    [...]
    if (await this.prepPluginsFolder(force, pckJSON)) { // [8] 
    [...]
  }

  async prepPluginsFolder(force, pckJSON) {
    [...]
    switch (this.plugin.source) {
      [...]
      case "git":
        if (force || !(await pathExists(this.pluginDir))) { 
          await gitPullOrClone(this.plugin, this.tempDir); // [9] 
	  [...]
  }

file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/download_utils.js#L112

const gitPullOrClone = async (plugin, pluginDir) => {
  [...]
  if (fs.existsSync(pluginDir)) {
    execSync(`git ${setKey} -C ${pluginDir} pull`);
  } else {
    execSync(`git ${setKey} clone ${plugin.location} ${pluginDir}`); // [10] 
  }
  [...]
};

PoC

check that the file will be created by the command echo "hello">/tmp/HACKED does not exists:

cat /tmp/HACKED
cat: /tmp/HACKED: No such file or directory

login with an admin account
visit http://localhost:3000/plugins/new
enter the following fields:
- Name: ;echo "hello">/tmp/HACKED
- Source: git
- other fields blank
click Create
you will get an error saying ENOENT: no such file or directory, .... but the command touch /tmp/HACKED will be executed
to verify:

cat /tmp/HACKED
hello

Impact

Remote code execution

Recommended Mitigation

Sanitize the pluginDir value before passing to execSync. Alternatively, use child_process. execFileSync API (docs: https://nodejs.org/api/child_process.html#child_processexecfilesyncfile-args-options)

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-fm76-w8jw-xf8m

EPSS Score

CWE

CWE-78

Published

10/3/2024

Updated

10/4/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@saltcorn/plugins-loader	npm	<= 1.0.0-beta.13	1.0.0-beta.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability chain starts with user-controlled plugin.name being used in PluginInstaller to construct directory paths. When the source is 'git', these unsanitized paths are passed to gitPullOrClone which uses execSync with string interpolation. The combination of: 1) user input flowing into command arguments without validation, 2) use of execSync which executes in a shell context, and 3) lack of proper sanitization of plugin.name containing special characters, allows command injection. The patch confirms this by replacing execSync with execFileSync and proper argument handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n *r**tin* * n*w plu*in usin* t** `*it` sour**, t** us*r-*ontroll** v*lu* `r*q.*o*y.n*m*` is us** to *uil* t** plu*in *ir**tory w**r* t** lo**tion will ** *lon**. T** *PI us** to *x**ut* t** `*it *lon*` *omm*n* wit* t** us*r-*ontroll*

Reasoning

T** vuln*r**ility ***in st*rts wit* us*r-*ontroll** `plu*in.n*m*` **in* us** in `Plu*inInst*ll*r` to *onstru*t *ir**tory p*t*s. W**n t** sour** is '*it', t**s* uns*nitiz** p*t*s *r* p*ss** to `*itPullOr*lon*` w*i** us*s `*x**Syn*` wit* strin* int*rpo

7.2

Basic Information

Concerned about an active attack path?

GHSA-fm76-w8jw-xf8m: @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source

Summary

Details

PoC

Impact

Recommended Mitigation

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI