Cloud CLI Shell Command Injection Vulnerability in Git User Configuration Endpoint

A shell command injection vulnerability has been identified in Cloud CLI versions prior to 1.24.0. The issue arises in the '/api/user/git-config' endpoint, which constructs shell commands by interpolating user-supplied 'gitName' and 'gitEmail' values into command strings executed by 'child_process.exec()'. While the input is enclosed in double quotes and only the quote character is escaped, this approach fails to properly sanitize backticks, command substitution, and certain escape sequences. As a result, authenticated attackers can execute arbitrary operating system commands through the git configuration endpoint. This vulnerability has been patched in version 1.24.0.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running as the user of the Node.js process. Additionally, the 'git config --global' command modifies the global git configuration, impacting all git operations. When combined with a specific vulnerability that bypasses authentication, this could lead to unauthenticated remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/user/git-config' endpoint with a forged JSON Web Token (JWT) that includes a 'gitName' value crafted to exploit the command injection vulnerability. The server will execute the injected command as part of the git configuration process.

Remediation

The vulnerability has been fixed in Cloud CLI version 1.24.0. Users should update to this version. The patch involves replacing the 'exec()' function with 'spawn()', which safely handles command arguments without using a shell, thereby preventing command injection.