惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
雷峰网
雷峰网
V
V2EX
博客园_首页
Engineering at Meta
Engineering at Meta
博客园 - 聂微东
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
H
Help Net Security
A
About on SuperTechFans
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
云风的 BLOG
云风的 BLOG
D
Docker
Security Archives - TechRepublic
Security Archives - TechRepublic
Help Net Security
Help Net Security
N
News and Events Feed by Topic
Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
Hacker News: Ask HN
Hacker News: Ask HN
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 司徒正美
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy International News Feed
T
Troy Hunt's Blog
T
Tenable Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Recorded Future
Recorded Future
F
Fortinet All Blogs
D
DataBreaches.Net
B
Blog
T
Threat Research - Cisco Blogs
MyScale Blog
MyScale Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
The GitHub Blog
The GitHub Blog
Security Latest
Security Latest
M
MIT News - Artificial intelligence

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package
2023-10-16 · via NodeJS Security & NodeJS Secure Coding's Blog

Argument injection vulnerabilities are a serious threat all Node.js developers need to be aware of. These injection attacks allow malicious users to inject unintended options and arguments into commands run on your server.

This blog post will explore an argument injection vulnerability recently disclosed in the blamer npm package and discuss best practices for avoiding similar issues.

We discuss how simple validation and sanitation of arguments can prevent such attacks. Follow at the end of this blog post for security best practices, such as using parameters instead of concatenation, prefixing arguments with -- to prevent them from being interpreted as flags, and running commands with least privilege.

What is Argument Injection?

Argument injection is a type of attack related to command injection vulnerabilities. It occurs when user-supplied input is passed unchecked into commands executed by an application. Attackers can craft malicious arguments that exploit flaws in how the command parses input.

For example, consider a Node.js application that runs the Linux grep command to search log files:

const searchTerm = req.query.search;

const cmd = `grep ${searchTerm} /var/log/myapp.log`;

exec(cmd);

This code is vulnerable to argument injection. How exactly? An attacker could provide input like --help to trigger the help output for grep rather than searching. Even worse, they could specify arguments like --output=myfile.txt to write arbitrary files on the server.

Of course, the above example is a bit contrived and is vulnerable to a general case of command injection vulnerabilities, such as by providing user-supplied input such as ; touch /tmp/pwn. However, it illustrates how dangerous unvalidated arguments can be. Regardless, always be wary of passing unsanitized user input into sensitive commands.

Real-World Argument Injection Example: blamer npm package

The vulnerability discussed in this post was discovered in the blamer npm package. Blamer is a tool for displaying Git blame information and code authorship details.

According to its description:

Blamer is a tool for get information about author of code from version control system. Supports git and subversion.

The blamer npm package is still quite popular, with over 50,000 weekly downloads at the time of writing. It serves as a useful utility for many developers using Git. Understanding the context and popularity of the affected package demonstrates how security issues in widely used tools can have broad impact across many applications and users.

Snyk Advisor package health for blamer npm package

This npm package provides a simple API for running git blame on a given file path and returning the blame information as structured JSON data.

For example:

const blamer = require('blamer');

const result = await blamer.blameByFile('index.js')

On June 22nd, 2023, I disclosed an argument injection flaw in the blamer npm package identified as CVE-2023-26143.

However, this library failed to properly sanitize the file path passed to git blame. By exploiting the --output option, attackers could overwrite arbitrary files on the system.

Let’s reproduce this vulnerability locally to see how it works:

  1. Install the blamer npm package:
  1. Initialize a new Git repository and create a file to blame:

git init

echo "Hello World" > index.js

  1. Run the blamer npm package to blame the file and write the following Node.js script:

// you might need to set `type: module` in `package.json`

// if you're running this as a Node.js script initialized

// in an npm project

import Blamer from "blamer";

const blamer = new Blamer.default("git");

async function main() {

const file = "--output=/tmp/r2d2";

const result = await blamer.blameByFile(file);

console.log("Blame json: %j", result);

}

main();

  1. Finally, observe the new file created at /tmp/r2d2

This demonstrates how dangerous unvalidated command-line arguments can be. Always be wary of passing unsanitized user input into sensitive system APIs such as Node.js core child_process module that handles system processes.

The good news is that the blamer npm package maintainer responded to the vulnerability report and released a patched version. The fix was introduced in version 1.0.4 of the blamer npm package, which is now safe to use. Thank you Andrey Kucherenko ❤️

Best Practices to Mitigate Argument Injection Vulnerabilities

Here are some tips for writing secure code that avoids argument injection vulnerabilities:

  • Validate and sanitize any user input before passing it to a command. Strip dangerous characters and whitelist allowed values.

  • Use parameters instead of string concatenation when building commands. Many command libraries support parameterization to avoid injection.

  • Pass arguments individually rather than a full command string. This helps avoid unintended parsing and gives more control.

  • Prefix arguments with -- to indicate the end of options. This prevents arguments from being interpreted as command flags/options.

  • Run commands with lowest privileges possible. Use users with restricted permissions to limit potential impact.

  • Upgrade dependencies promptly to get fixed versions that address known vulnerabilities.

Following security best practices like these will help write more robust code free of injection issues. Be especially careful when working with potentially dangerous commands like git, grep, ssh, and others. Preventing vulnerabilities like the one in blamer is important for building secure Node.js applications.


Want to secure your Node.js apps like a pro? Get Liran Tal’s indispensable book Node.js Secure Coding and master battle-tested techniques to lock down your code against injection attacks and other exploits. Don’t leave your apps at risk - skill up on Node.js security today.