Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(deps): update dependency standard-version to v8.0.1 [security] #22

Merged
merged 1 commit into from
Aug 10, 2020
Merged

chore(deps): update dependency standard-version to v8.0.1 [security] #22

merged 1 commit into from
Aug 10, 2020

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 13, 2020

This PR contains the following updates:

Package Type Update Change
standard-version devDependencies patch 8.0.0 -> 8.0.1

GitHub Vulnerability Alerts

GHSA-7xcx-6wjh-7xp2

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"

Now create a file with the following contents:

var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');

const standardVersion = require('standard-version')

standardVersion({
  noVerify: true,
  infile: 'foo.txt',
  releaseCommitMessageFormat: "bla `touch exploit`"
})

and run it:

node test.js

Notice that a file named exploit has been created.

This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version project here.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Remediation

We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile instead of child_process.exec.

Credit

This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-111 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

Release Notes

conventional-changelog/standard-version

v8.0.1

Compare Source

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-standard-version-vulnerability branch from 33d2652 to 773c657 Compare August 10, 2020 07:00
@exreplay exreplay merged commit 846bb10 into development Aug 10, 2020
@exreplay exreplay deleted the renovate/npm-standard-version-vulnerability branch August 10, 2020 07:02
exreplay added a commit that referenced this pull request Aug 21, 2020
@exreplay @renovate @renovate-bot
merge development into master (#32)
0c42cee 
* docs: updated docs

* added codecov to test

* Add .circleci/config.yml (#16)

* docs: updated circle ci badge

* updated changelog

* revert: revert version back to 1.3.0

* refactor: remove purgecss config (#18)

BREAKING CHANGE: since tailwind version 1.4.0 there is purge integrated and the purgecss aver plugin is not needed anymore.

* refactor: removed purgecss config

* refactor: updated tailwind config template and enable purge

* docs: removed defaultExtractor docs

* chore(release): 2.0.0

* updated changelog

* chore(release): 2.0.1

* updated readme

* chore(deps): update dependency commitlint to v9 (#21)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update dependency codecov to v3.7.1 [security] (#26)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update dependency lodash to v4.17.19 [security] (#27)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update dependency standard-version to v8.0.1 [security] (#22)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* fix: check if cache dir exists and create it if not

* chore(deps): update all non-major dependencies (#19)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(release): 2.1.0

* updated changelog

* added group for tailwind

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Renovate Bot <bot@renovateapp.com>
@exreplay exreplay mentioned this pull request Aug 21, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@exreplay @renovate-bot