Giters

entropic-dev / entropic

🦝 :package: a package registry for anything, but mostly javascript 🦝 🦝 🦝

Home Page:https://discourse.entropic.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

possible parent path traversal in command argument

mikesamuel opened this issue · comments

commented

Is this a feature request or a bug?

bug

Parent path traversal is often considered a security problem.
This is likely low impact if it is a security problem; the only vectors I can see is socially engineered copy/paste or postinstall hook abuse.

If an attacker can get a JS file onto the machine, they might be able to use shell injection or malicious hooks to cause entropic to load that JS file, but an attacker can usually do anything via shell access that they could by running JS in the entropic process unless entropic evolved to accept multiple commands as a long-lived, privileged process.

Actual behavior:

entropic/cli/lib/main.js

Line 21 in ca58c5e

cmd = require(`./commands/${argv[0]}`);

entropic ../../../node_modules/prettier fails with an error like "TypeError: ... is not a function"

This works because ../../.. backs out of cli/lib/commands to the root directory for entropic.

Expected behavior:

A command passed as the zero-th argument at the command line should not cause line 21 to load a package outside the commands subdirectory. Line 21 should not load a dev dependency or a globally installed non-dependency.

Specifically, entropic ../../../node_modules/prettier should dump help info instead of potentially calling prettier's export as an async function.

Steps to replicate:

$ echo 'console.log("Hello, World")' > ./poc.js
$ entropic ../../../poc
Hello, World

Possible fix

One way to address is to define a function isCommandArgument that uses require.resolve to convert argv[0] to a file path, then use path.relative to find a path relative to __DIRNAME and see if the first component of that relative path is commands.

Alternatively, if there is no desire to support commands like subdir/basename in the future then main could dump help text when /[\/\\]/.test(argv[0]).

I can put together a PR if desired.

commented

Sorry, I submitted before double-checking the repro steps and have to go afk. Will fix.

commented

@mikesamuel great catch. I don't believe we'll ever require nested command syntax so your second proposed solution should be great. Would you like to open a PR? If not, I don't mind, just let me know.

commented

I will prep a PR.