mirror of
https://github.com/nvm-sh/nvm.git
synced 2026-06-06 14:27:10 +08:00
90bb88748b
The awk program string-interpolated the slug
(which embeds the untrusted, mirror-supplied version)
into its source, so a crafted version such as
`v1"==$2){system("touch${IFS}/tmp/x")}#`
was executed by awk's `system()`.
Pass the value via `-v tarball=...` so awk treats it as data and never as code.
See GHSA-3c52-35h2-gfmm
(a second injection sink fed by the same untrusted version field that `nvm_download`'s eval was; the source-install path reaches this during a normal `nvm install <version>`).
29 lines
967 B
Bash
Executable File
29 lines
967 B
Bash
Executable File
#!/bin/sh
|
|
|
|
WORK="${TMPDIR:-/tmp}/nvm_get_checksum_awk.$$"
|
|
PROOF="${WORK}/PWNED"
|
|
|
|
cleanup () {
|
|
unset -f die cleanup nvm_download
|
|
rm -rf "${WORK}"
|
|
}
|
|
die () { echo "$@" ; cleanup ; exit 1; }
|
|
|
|
\. ../../../nvm.sh
|
|
|
|
mkdir -p "${WORK}"
|
|
|
|
# GHSA-3c52-35h2-gfmm: nvm_get_checksum must treat the (untrusted, version-derived)
|
|
# slug as awk data, never as awk program text.
|
|
# given a crafted slug carrying an unconditional awk system() action
|
|
# and a mock that supplies one SHASUMS record (so such an action would fire)
|
|
nvm_download () { printf 'deadbeef sometarball\n'; }
|
|
# when nvm_get_checksum runs with that slug as its 4th argument
|
|
rm -f "${PROOF}"
|
|
nvm_get_checksum node std v1 'x" == $2) print $1} {system("touch${IFS}'"$PROOF"'")} #' tar.gz >/dev/null 2>&1
|
|
# then the injected awk code must not execute
|
|
[ ! -e "${PROOF}" ] || die 'awk injection fires in nvm_get_checksum (slug interpolated into awk program text)'
|
|
|
|
cleanup
|
|
echo 'nvm_get_checksum awk injection: passed'
|