huntr-helper opened a new pull request #37: URL: https://github.com/apache/cordova-serve/pull/37
https://huntr.dev/app/users/Hbkhan has fixed the Remote Code Execution vulnerability 🔨. Hbkhan has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this? Get involved at https://huntr.dev/ Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/cordova-serve/pull/2 GitHub Issue URL | https://github.com/apache/cordova-serve/issues/36 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/cordova-serve/1/README.md ### User Comments: ### 📊 Metadata * _Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker._ #### Bounty URL: https://www.huntr.dev/app/bounties/open/1-npm-cordova-serve ### ⚙️ Description * The cordova-serve module suffers from remote code execution caused by the lack of validating dataDir & URL input arguments before executing the command in [#L89](https://github.com/apache/cordova-serve/blob/bbe740cd70dc31f91537864b39a8569d394205f0/src/browser.js#L89). The proposed fix will add a check for both inputs. ### 💻 Technical Description * According to cordova-serve documentation `dataDir` & `URL` are described as: _dataDir - a data dir to provide to Chrome (can be used to force it to open in a new window)_ _url - the url to open in the browser_ Types of the parameters ```javascript @param url: string, dataDir: string ``` For the `dataDir` input I added a regex check which will make sure that the input doesn't contain any illegal character (which can result in RCE). If the validation fails it will print an error message For the `URL` input I simply used `encodeURI` function which will encode the input as URL and give it to the chrome. If any extra command were added it will still be considered as a part of URL ### 🐛 Proof of Concept (PoC) * ```shell node poc.js ``` ```node // poc.js const cordovaServe = require('./src/main.js'); var server = cordovaServe(); cordovaServe.launchBrowser({target: "chrome", url: "http://localhost";, dataDir: "; touch hbkhan"}).then( stdout => { console.log(`Browser was launched successfully: ${stdout}`); }, error => { console.log(`An error occurred: ${error}`); } ); ```  ```shell node poc2.js ``` ```node // poc2.js const cordovaServe = require('./src/main.js'); var server = cordovaServe(); cordovaServe.launchBrowser({target: "chrome", url: "http://localhost; touch hbkhan", dataDir: ""}).then( stdout => { console.log(`Browser was launched successfully: ${stdout}`); }, error => { console.log(`An error occurred: ${error}`); } ); ```  ### 🔥 Proof of Fix (PoF) * ```shell node poc.js ``` ```node // poc.js const cordovaServe = require('./src/main.js'); var server = cordovaServe(); cordovaServe.launchBrowser({target: "chrome", url: "http://localhost";, dataDir: "; touch hbkhan"}).then( stdout => { console.log(`Browser was launched successfully: ${stdout}`); }, error => { console.log(`An error occurred: ${error}`); } ); ```  ```node // poc2.js const cordovaServe = require('./src/main.js'); var server = cordovaServe(); cordovaServe.launchBrowser({target: "chrome", url: "http://localhost; touch hbkhan", dataDir: ""}).then( stdout => { console.log(`Browser was launched successfully: ${stdout}`); }, error => { console.log(`An error occurred: ${error}`); } ); ```  ### 👍 User Acceptance Testing (UAT) ```code w'h'o'am'i w\ho\am\i echo test >> test whoami ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
