Disclosing a Command Injection vulnerability in willitmerge@0.2.1. The willitmerge project describes itself as a command line tool to check if pull requests are mergeable. This report is now public after responsible disclosure and outreach to the maintainer which has not yet acknowledged the issue.

Resources:

• Project’s GitHub source code: https://github.com/shama/willitmerge/
• Project’s npm package: https://www.npmjs.com/package/willitmerge

Background on exploitation

I’m reporting a Command Injection vulnerability in willitmerge npm package.

A security vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.

Exploit

POC 1

1. Install willitmerge
2. Run it with the following command

willitmerge --verbose --remote "https://github.com/lirantal/npq.git; touch /tmp/hel"

3. Confirm the file /tmp/hel is created on disk

GitHub-sourced attack vector

Lines 189-197 in lib/willitmerge.js pass user input controlled by repository collaborators into the git command:

  var cmds = [
    'git checkout -b ' + branch + ' ' + that.options.remote + '/' + iss.base.ref,
    'git remote add ' + branch + ' ' + gitUrl,
    'git pull ' + branch + ' ' + iss.head.ref,
    'git reset --merge HEAD',
    'git checkout ' + origBranch,
    'git branch -D ' + branch,
    'git remote rm ' + branch
  ];

Users creating malicious branch names such as ;{echo,hello,world}>/tmp/c

This is a similar attack vector to that which was reported for the pullit vulnerability