git-diff-apply@0.4.1 vulnerabilities

Use an unrelated remote repository to apply a git diff

Direct Vulnerabilities

Known vulnerabilities in the git-diff-apply package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

git-diff-apply is a package that can be used to reach an unrelated remote repository to apply a git diff.

Affected versions of this package are vulnerable to Command Injection. In "index.js" file, line 240, the run command executes the git command with an user controlled variable called remoteUrl.

PoC by JHU System Security Lab

var root = require("git-diff-apply");
var attack_code = "&touch Song&";
root({"remoteUrl": "&touch Song&", "startTag": "none"})

How to fix Command Injection?

Upgrade git-diff-apply to version 0.22.2 or higher.

<0.22.2