๐ Hi, I am <salsan/>
salsan / font-query Goto Github PK
View Code? Open in Web Editor NEWfont-query is a Node.js package for query the fonts available on your system.
License: MIT License
font-query is a Node.js package for query the fonts available on your system.
License: MIT License
๐ Hi, I am <salsan/>
font-query is a Node.js package for query the fonts available on your system.
Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).
If (attacker-controlled) user input is given to the fontQuery
function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
This vulnerability is due to use of the child_process
exec
function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec
[2].
[1] https://cwe.mitre.org/data/definitions/77.html
[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback
The proof-of-concept code below illustrates the issue. Executing this code will cause the command touch /tmp/success
to be executed, leading to the creation of a file called success
in the /tmp
directory.
var PUT = require('font-query');
var x0 = " $(touch /tmp/success) # \" || touch /tmp/success # ' || touch /tmp/success";
new PUT["fontQuery"](x0)();
Environment: Node.js v15.5.0 on Linux
Steps to reproduce:
npm i [email protected]
poc.js
, containing the PoC code.node poc.js
A file called success
will be created in the tmp
directory as a result of the execution of the PoC.
execFile
[1] or execFileSync
[2] if possible, which do not spawn a shell.exec
that match a predefined allow-list.exec
such that they do not contain shell meta-characters such as $()
.salsan [email protected]
From NodeMedic-FINE project
This happen on version "version": "1.1.1" under
Distributor ID: Raspbian , Description: Raspbian GNU/Linux 10 (buster) , Release: 10 , Codename: buster
Code
const fontQuery = require("font-query");
console.log(fontQuery(process.argv[2]));
Parameter passed --v
pi@pi400:~/develop/fontQuery $ node index.js --v
/home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:12
return [arr[0].trim(), arr[1].trim()].reverse();
^
TypeError: Cannot read property 'trim' of undefined
at /home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:12:39
at Array.map (<anonymous>)
at splitArr (/home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:9:41)
at fontLinux (/home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:23:11)
at fontQuery (/home/pi/develop/fontQuery/node_modules/font-query/index.js:16:14)
at Object.<anonymous> (/home/pi/develop/fontQuery/index.js:4:13)
at Module._compile (node:internal/modules/cjs/loader:1101:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.