Fix Arbitary Code Execution

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-mrgit

⚙️ Description *

mrgit was vulnerable against arbitrary command injection cause some user supplied inputs were taken and executed with shelljs function without prior validation.
After update Arbitary Code Execution is avoided

💻 Technical Description *

Comands are executed using shelljs without sanitization, leading to Arbitrary Code Execution, missing sanitization was added

🐛 Proof of Concept (PoC) *

Install the package and run the below code:

const diff = require( './lib/commands/diff' );
diff.execute({arguments:['test; touch HACKED; #'], toolOptions:{packages:'', }, repository:{directory:''}})

It will create a file HACKED in the working directory.

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!