Fix Arbitary Code Execution

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-gify

⚙️ Description *

node-gify was vulnerable against RCE and arbitrary command injection cause some user supplied inputs were taken and formatted inside the exec() function without prior validation.
After update Arbitary Code Execution is avoided by using execFile instead of exec

💻 Technical Description *

Arbitary Code Execution is avoided by using execFile() instead of exec() and passing arguments via parameters instead of composing string

🐛 Proof of Concept (PoC) *

Install the package and run the below code:

// poc.js
var gify = require("./");
gify("out.mp4\"`'; touch HACKED; #", 'out.gif\';touch HACKED; #', e => { console.log(e)});

It will create a file named HACKED in the working directory.

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally

[toufik-airane]

Awesome!

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord