Merge pull request #9 from EffectRenan/master

Fix Improper Input Validation

CHANGELOG.md

@@ -77,6 +77,14 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page.
 
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
+| 5.6.10         | 2021-03-29     | `vboxInfo()` fixed windows bug |
+| 5.6.9          | 2021-03-28     | `graphics()` fixed nvidia-smi compare bug |
+| 5.6.8          | 2021-03-22     | typescript definitions fix `wifiInterfces()`, `wifiConnections()` |
+| 5.6.7          | 2021-03-16     | `inetLatency()` `ineChecksite()` schema validation |
+| 5.6.6          | 2021-03-16     | code refactoring |
+| 5.6.5          | 2021-03-15     | `cpuTemperature()` fix (linux) |
+| 5.6.4          | 2021-03-15     | `sanitizeShellString()` and other security improvements |
+| 5.6.3          | 2021-03-14     | `sanitizeShellString()` improvement |
 | 5.6.2          | 2021-03-10     | `networkInterfaces()` `cpu()` improvement (win) |
 | 5.6.1          | 2021-03-03     | `get()` fixed issue boolean parameters |
 | 5.6.0          | 2021-03-03     | `cpuTemperature()` added socket and chipset temp (linux) |

README.md

@@ -360,9 +360,9 @@ Full function reference with examples can be found at [https://systeminformation
 | si.fullLoad(cb) | : integer | X |  | X | X |  | CPU full load since bootup in % |
 | si.processes(cb) | {...} | X | X | X | X | X | # running processes |
 | | all | X | X | X | X | X | # of all processes |
-| | running | X | X | X | X | X | # of all processes running |
-| | blocked | X | X | X | X | X | # of all processes blocked |
-| | sleeping | X | X | X | X | X | # of all processes sleeping |
+| | running | X | X | X |  | X | # of all processes running |
+| | blocked | X | X | X |  | X | # of all processes blocked |
+| | sleeping | X | X | X |  | X | # of all processes sleeping |
 | | unknown |   |   |   | X |  | # of all processes unknown status |
 | | list[] | X | X | X | X | X | list of all processes incl. details |
 | | ...[0].pid | X | X | X | X | X | process PID |

docs/history.html

@@ -56,6 +56,46 @@ <h3>Full version history</h3>
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">5.6.10</th>
+                    <td>2021-03-29</td>
+                    <td><span class="code">vboxInfo()</span> fixed windows bug</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">5.6.9</th>
+                    <td>2021-03-28</td>
+                    <td><span class="code">graphics()</span> fixed nvidia-smi compare bug</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">5.6.8</th>
+                    <td>2021-03-23</td>
+                    <td>typescript definitions fix wifiInterfces, wifiConnections</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">5.6.7</th>
+                    <td>2021-03-16</td>
+                    <td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> schema avlidation</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">5.6.6</th>
+                    <td>2021-03-16</td>
+                    <td>code refactoring</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">5.6.5</th>
+                    <td>2021-03-15</td>
+                    <td><span class="code">cpuTemperature()</span> fix linux</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">5.6.4</th>
+                    <td>2021-03-15</td>
+                    <td><span class="code">sanitizeShellString()</span> and other security improvements</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">5.6.3</th>
+                    <td>2021-03-14</td>
+                    <td><span class="code">sanitizeShellString()</span> improvements</td>
+                  </tr>
                   <tr>
                     <th scope="row">5.6.2</th>
                     <td>2021-03-10</td>

docs/index.html

@@ -166,11 +166,11 @@
 <body>
   <header class="bg-image-full">
     <div class="top-container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.3.2</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.6.4</a>
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span>&nbsp;</div>
-      <div class="version">New Version: <span id="version">5.6.2</span></div>
+      <div class="version">New Version: <span id="version">5.6.10</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">
@@ -192,6 +192,8 @@
           <a href="https://lgtm.com/projects/g/sebhildebrandt/systeminformation/alerts" rel="nofollow"><img src="https://camo.githubusercontent.com/66428127fdde80fc8247a0c1df4c651f3a6b1c0a/68747470733a2f2f696d672e736869656c64732e696f2f6c67746d2f616c657274732f672f73656268696c64656272616e64742f73797374656d696e666f726d6174696f6e2e7376673f7374796c653d666c61742d737175617265" alt="Total alerts" data-canonical-src="https://img.shields.io/lgtm/alerts/g/sebhildebrandt/systeminformation.svg?style=flat-square" style="max-width:100%;"></a>
           <a href="https://github.com/sebhildebrandt/systeminformation/blob/master/LICENSE"><img src="https://camo.githubusercontent.com/4b5966a2a252ee0f241a1e03b13417178eb4964f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e7376673f7374796c653d666c61742d737175617265" alt="MIT license" data-canonical-src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" style="max-width:100%;"></a>
         </div>
+        <div class="text larger"><span class="warning">Security issues:</span> Please have a look at our <a href="../security.html">security advisories</a>.</div>
+
       </div>
     </div>
     <div class="row justify-content-center sectionheader index">
@@ -201,15 +203,15 @@
     </div>
     <div class="row number-section">
       <div class="col-xl-4 col-lg-4 col-md-4 col-12">
-        <div class="numbers">14,185</div>
+        <div class="numbers">14,225</div>
         <div class="title">Lines of code</div>
       </div>
       <div class="col-xl-4 col-lg-4 col-md-4 col-12">
         <div id="downloads" class="numbers">...</div>
         <div class="title">Downloads last month</div>
       </div>
       <div class="col-xl-4 col-lg-4 col-md-4 col-12">
-        <div class="numbers">395</div>
+        <div class="numbers">407</div>
         <div class="title">Dependents</div>
       </div>
     </div>
@@ -345,7 +347,7 @@
     <div class="row">
       <div class="col-12 sectionheader index">
         <div class="title-small">Issues</div>
-        <div class="text"><span class="bold">Security issues</span>: Please have a look at our <a href="security.html">security advisories</a></div>
+        <div class="text"><span class="warning">Security issues:</span> We highly recomment to have a look at our <a href="security.html">security advisories</a></div>
         <div class="text"><span class="bold">Having an issue</span>: If you run into problems, please check out <a href="issues.html">known issues page</a> first.<br>If you still have problems, please feel free to open an issue on our <a href="https://github.com/sebhildebrandt/systeminformation/issues">github page</a></div>
       </div>
     </div>

docs/processes.html

@@ -242,7 +242,7 @@ <h5>Example</h5>
                     <td>X</td>
                     <td>X</td>
                     <td>X</td>
-                    <td>X</td>
+                    <td></td>
                     <td>X</td>
                     <td># of all processes running</td>
                   </tr>
@@ -252,7 +252,7 @@ <h5>Example</h5>
                     <td>X</td>
                     <td>X</td>
                     <td>X</td>
-                    <td>X</td>
+                    <td></td>
                     <td>X</td>
                     <td># of all processes blocked</td>
                   </tr>
@@ -262,7 +262,7 @@ <h5>Example</h5>
                     <td>X</td>
                     <td>X</td>
                     <td>X</td>
-                    <td>X</td>
+                    <td></td>
                     <td>X</td>
                     <td># of all processes sleeping</td>
                   </tr>

docs/security.html

@@ -43,6 +43,28 @@
           <div class="col-12 sectionheader">
             <div class="title">Security Advisories</div>
             <div class="text">
+              <h2>Passing User Paramters to Systeminformation</h2>
+              <p>For most of the applications that are using <span class="code">systeminformation</span>, there is no reason to worry. <span class="bold">But be aware!</span> If you are using <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!</p>
+              <p class="warning">This can lead to serious impact on your servers!</p>
+              <p>We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing <span class="code">"systeminformation": "^4"</span> in your package.json (dependencies) and run <span class="code">npm install</span></p>
+
+              <h2>Command Injection Vulnerability</h2>
+              <p><span class="bold">Affected versions:</span>
+                &lt; 5.6.4 and &lt; 4.34.17<br>
+                <span class="bold">Date:</span> 2021-03-15<br>
+                <span class="bold">CVE indentifier</span> CVE-2021-21388
+              </p>
+
+              <h4>Impact</h4>
+              <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated string prototype as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
+
+              <h4>Patch</h4>
+              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.6.4 (or >= 4.34.17 if you are using version 4).</p>
+
+              <h4>Workarround</h4>
+              <p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
+              <hr>
+              <br>
               <h2>Insufficient File Scheme Validation</h2>
               <p><span class="bold">Affected versions:</span>
                 &lt; 5.3.2 and &lt; 4.34.12<br>