@conventional-changelog/git-client Argument Injection Vulnerability

A vulnerability allowing argument injection has been identified in the @conventional-changelog/git-client library, prior to version 2.0.0. This issue arises in the getTags() API, which permits the inclusion of additional parameters to the git log command. Unlike the getRawCommits() API, which securely manages extra parameters by appending a special shell syntax to terminate the git log command options, the getTags() API lacks proper input sanitation, validation, and restriction to an allow list. Consequently, users can exploit this vulnerability by injecting arguments that overwrite arbitrary files via the --output= option, potentially compromising sensitive files such as .env or critical system configurations if the application runs with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting on the disk. This could include sensitive files like .env or critical system files in /etc if the application is executed as the root user.

Reproduction

To reproduce this vulnerability, install @conventional-changelog/git-client version 1.0.1 or earlier. Prepare a Git directory to be used as the source. Then, create a script that imports the GitClient from the @conventional-changelog/git-client package. In the script, initialize the GitClient with the path to the Git directory and pass a parameter to the getTags() method that includes the --output= option followed by the path of a file to be created or overwritten. When the script is executed, it will inject the argument through the getTags() API, exploiting the vulnerability by overwriting the specified file.

Remediation

Users can update to @conventional-changelog/git-client version 2.0.0 or later, where this vulnerability has been patched.