N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-j9wj-m24m-7jj6

GHSA-j9wj-m24m-7jj6: willitmerge has a Command Injection vulnerability

willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version willitmerge@0.2.1.

Resources:

Project's GitHub source code: https://github.com/shama/willitmerge/
Project's npm package: https://www.npmjs.com/package/willitmerge

Background on exploitation

Reporting a Command Injection vulnerability in willitmerge npm package.

A security vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.

Exploit

POC 1

Install willitmerge
Run it with the following command

willitmerge --verbose --remote "https://github.com/lirantal/npq.git; touch /tmp/hel"

Confirm the file /tmp/hel is created on disk

GitHub-sourced attack vector

Lines 189-197 in lib/willitmerge.js pass user input controlled by repository collaborators into the git command:

  var cmds = [
    'git checkout -b ' + branch + ' ' + that.options.remote + '/' + iss.base.ref,
    'git remote add ' + branch + ' ' + gitUrl,
    'git pull ' + branch + ' ' + iss.head.ref,
    'git reset --merge HEAD',
    'git checkout ' + origBranch,
    'git branch -D ' + branch,
    'git remote rm ' + branch
  ];

Users creating malicious branch names such as ;{echo,hello,world}>/tmp/c

This is a similar attack vector to that which was reported for the [pullit vulnerability (https://security.snyk.io/vuln/npm:pullit:20180214)

Author

Liran Tal

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-j9wj-m24m-7jj6

GHSA-j9wj-m24m-7jj6:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
willitmerge	npm	<= 0.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The command injection vulnerability in willitmerge is caused by the insecure construction and execution of shell commands. The analysis of lib/willitmerge.js reveals two key functions involved in the vulnerability.

First, the willitmerge.testIssue function assembles an array of git commands. It does this by concatenating strings with data that can be controlled by a user, such as the --remote command-line option (that.options.remote) and metadata from a GitHub pull request, including branch names (iss.base.ref, iss.head.ref). An attacker can craft a malicious branch name or a --remote value containing shell metacharacters (e.g., ;, &&, ||) to inject arbitrary commands.

Second, the execSeries function receives this array of command strings and executes each one sequentially using child_process.exec. The exec function spawns a shell and executes the command within it, making it a well-known sink for command injection vulnerabilities when used with untrusted input. Therefore, execSeries is the function that directly triggers the execution of the injected commands.

During exploitation, a runtime profile would show willitmerge.testIssue being called to prepare the malicious commands, followed by a call to execSeries, which would then invoke the vulnerable exec call.

Vulnerable functions

willitmerge.testIssue

lib/willitmerge.js

This function constructs a series of shell commands by directly concatenating user-controllable input from command-line options (that.options.remote) and pull request data (iss.base.ref, iss.head.ref, gitUrl). These unsanitized inputs are then passed to be executed, leading to command injection.

execSeries

lib/willitmerge.js

This function is the sink for the vulnerability. It takes an array of command strings and executes each one using `child_process.exec`. It directly executes the malicious commands constructed in `willitmerge.testIssue`, triggering the command injection.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-j9wj-m24m-7jj6: willitmerge has a Command Injection vulnerability

Background on exploitation

Exploit

POC 1

GitHub-sourced attack vector

Author

GHSA-j9wj-m24m-7jj6:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

GHSA-j9wj-m24m-7jj6: willitmerge has a Command Injection vulnerability

Background on exploitation

Exploit

POC 1

GitHub-sourced attack vector

Author

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI