eeymoo/nvm
1
0
Fork 0
mirror of https://github.com/nvm-sh/nvm.git synced 2026-06-07 14:57:09 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[Fix] nvm_get_checksum: pass the tarball name to awk as data, not program text

Browse Source 
The awk program string-interpolated the slug
(which embeds the untrusted, mirror-supplied version)
into its source, so a crafted version such as
`v1"==$2){system("touch${IFS}/tmp/x")}#`
was executed by awk's `system()`.
Pass the value via `-v tarball=...` so awk treats it as data and never as code.

See GHSA-3c52-35h2-gfmm
(a second injection sink fed by the same untrusted version field that `nvm_download`'s eval was; the source-install path reaches this during a normal `nvm install <version>`).
This commit is contained in:
Jordan Harband
2026-06-03 13:11:26 -07:00
parent 6d870d182c
commit 90bb88748b
2 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nvm.sh
View File

@@ -1927,7 +1927,7 @@ nvm_get_checksum() {
SHASUMS_URL="${MIRROR}/${3}/SHASUMS.txt"
fi
nvm_download -L -s "${SHASUMS_URL}" -o - | command awk "{ if (\"${4}.${5}\" == \$2) print \$1}"
nvm_download -L -s "${SHASUMS_URL}" -o - | command awk -v tarball="${4}.${5}" '{ if (tarball == $2) print $1 }'
}
nvm_print_versions() {