git-commiters Command Injection Vulnerability

A command injection vulnerability exists in the git-commiters Node.js module, prior to version 0.1.2. The issue arises in the main exported API, gitCommiters(options, callback), which accepts user-specified options like cwd (current working directory) and revisionRange (a revision pointer such as HEAD). The vulnerability occurs because the library fails to sanitize user input and does not use a secure process execution API to separate commands from their arguments, allowing uncontrolled user input to be concatenated into command execution.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the server running the vulnerable application.

Reproduction

To reproduce this vulnerability, install git-commiters version 0.1.1 or earlier. Then, initialize a new Git directory with commits. In that directory, create a script that requires the git-commiters module and calls the gitCommiters function with a revisionRange option that includes a command to be executed, such as 'touch /tmp/pwn; #'. When the script is run, the injected command will be executed, demonstrating the command injection vulnerability.

Remediation

Users can upgrade to git-commiters version 0.1.2 or later to address this vulnerability.