ACI in font-query

Package source

• https://www.npmjs.com/package/font-query/v/2.0.0

Github repo

• git+https://github.com/salsan/font-query.git

Package description

font-query is a Node.js package for query the fonts available on your system.

Vulnerability Overview

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).

If (attacker-controlled) user input is given to the fontQuery function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].

[1] https://cwe.mitre.org/data/definitions/77.html

[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback

Reproduction

The proof-of-concept code below illustrates the issue. Executing this code will cause the command touch /tmp/success to be executed, leading to the creation of a file called success in the /tmp directory.

var PUT = require('font-query');
var x0 = " $(touch /tmp/success) # \" || touch /tmp/success # ' || touch /tmp/success";
new PUT["fontQuery"](x0)();

Environment: Node.js v15.5.0 on Linux

Steps to reproduce:

1. npm i [email protected]
2. Create a file, poc.js, containing the PoC code.
3. Execute the file: node poc.js

A file called success will be created in the tmp directory as a result of the execution of the PoC.

Mitigation

• Consider using execFile [1] or execFileSync [2] if possible, which do not spawn a shell.
• If possible, consider only passing inputs to exec that match a predefined allow-list.
• If using an allow-list is not possible, consider sanitizing inputs to exec such that they do not contain shell meta-characters such as $().

To contact

salsan [email protected]

From NodeMedic-FINE project

This happen on version "version": "1.1.1" under

Distributor ID: Raspbian , Description: Raspbian GNU/Linux 10 (buster) , Release: 10 , Codename: buster

Code

const fontQuery = require("font-query");
console.log(fontQuery(process.argv[2]));

Parameter passed --v

pi@pi400:~/develop/fontQuery $ node index.js --v
/home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:12
        return [arr[0].trim(), arr[1].trim()].reverse();
                                      ^

TypeError: Cannot read property 'trim' of undefined
    at /home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:12:39
    at Array.map (<anonymous>)
    at splitArr (/home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:9:41)
    at fontLinux (/home/pi/develop/fontQuery/node_modules/font-query/libs/linux.js:23:11)
    at fontQuery (/home/pi/develop/fontQuery/node_modules/font-query/index.js:16:14)
    at Object.<anonymous> (/home/pi/develop/fontQuery/index.js:4:13)
    at Module._compile (node:internal/modules/cjs/loader:1101:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)