The maintainers of systeminformation, a popular Node.js package, have patched a bug that left applications vulnerable to command injection attacks.
Systeminformation provides dozens of functions for retrieving detailed hardware, system, and operating system information from servers hosting Node.js applications.
The library has more than 850,000 weekly downloads on NPM, the main online repository for Node.js packages.
Command injection attacks happen when a malicious actor manipulates an application to send system-level commands to the host server.
For example, if a function inserts user input strings into system commands without sanitizing them, malicious actors might be able to exploit the loophole to cause the function to execute arbitrary system-level commands.
Edge case
In general, systeminformation is not meant to be used in conjunction with user input, Sebastian Hildbrandt, the maintainer of the software, told The Daily Swig.
“Systeminformation is a package intended to be used at the backend. What I personally was expecting was that developers use this package carefully,” he said.
But Hildebrandt added that there are some use cases where developers open some of the library’s functions to their end users, making it possible to pass parameters that will then be forwarded to the systeminformation package.
“The systeminformation package comes with a set of sanitizing functions to provide a basic parameter check, but of course I am not aware of the context the package is used,” Hildebrandt says.
‘Improper parameter checking’
Four functions in systeminformation were found to be vulnerable to command injection.
According to Hildebrandt, the vulnerability was caused due to a special case of improper parameter checking and array sanitation.
“If the input was not sanitized and users had the possibility to pass a JavaScript array as a parameter to the given functions, this could lead to executing malicious code like [a denial of service] DoS on the machine where systeminformation is running,” he said.
String input is not affected by the bug.
The vulnerability – classified as ‘moderate’ on GitHub – was fixed in the latest version of systeminformation. The maintainers advise all developers to upgrade their version of the package.
They have also provided the names of the functions for which developers should perform manual sanitation of parameters, a workaround check that can be used in cases where they can’t readily upgrade to the latest version of systeminformation.
The bug was discovered by a user of the systeminformation package, Hildbrandt said.
“For me as a developer (and also user of other packages), I am happy to see that other developers help to make packages more secure,” he concluded.
Source: https://portswigger.net/daily-swig/popular-node-js-package-vulnerable-to-command-injection-attacks