push-dir@0.2.1 vulnerabilities

Push a directory to a remote branch

Direct Vulnerabilities

Known vulnerabilities in the push-dir package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

push-dir is a package to push the contents of a directory to a remote branch.

Affected versions of this package are vulnerable to Command Injection. Arguments provided as part of the variable opt.branch is not validated before being provided to the git command within index.js#L139. This could be abused by an attacker to inject arbitrary commands.

PoC by JHU System Security Lab

var root = require("push-dir");
var opt = {"branch": "& echo vulnerable > create.txt &"};
root(opt);

How to fix Command Injection?

There is no fixed version for push-dir.

*