degit Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the degit package, specifically in versions prior to 2.8.6, as well as in versions 3.0.0 prior to 3.3.1. The vulnerability arises from inadequate sanitization of user input for git repository names, which is directly passed to the exec() method. This flaw allows attackers to execute arbitrary operating system commands as the user running the process. The issue is exploited by supplying a specially crafted repository name that includes shell metacharacters, which are then evaluated by the shell before being passed to git.

Impact

Exploitation of this vulnerability leads to arbitrary command execution on the host machine, with the executed commands running under the user's privileges. This could allow an attacker to execute malicious scripts, manipulate files, or potentially gain unauthorized access to sensitive information such as environment variables or configuration files.

Reproduction

The vulnerability can be reproduced by using the degit package to clone a repository while injecting a command through the repository name. This can be done by crafting a src string that includes shell commands, such as 'github.com/user$(id)/repo', which exploits the lack of input validation and is executed before the git command is called. This injection can be verified by checking for the creation of a proof file that captures the output of the injected command, such as 'proof.txt'.

Remediation

Users are advised to upgrade to degit version 2.8.6 or 3.3.1 and above, where this vulnerability has been addressed.