mike/systeminformation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #6 from EffectRenan/master

Browse Source 
Fix Server-Side Request Forgery vulnerability
This commit is contained in:
huntr.dev | the place to protect open source 2021-02-20 12:54:30 +00:00 committed by GitHub
commit 0e03d7cf77
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 223 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -72,6 +72,9 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page.
| Version | Date | Comment |
| -------------- | -------------- | -------- |
| 5.3.3 | 2020-02-15 | `dockerContainerStats()` fixed ID splitting |
| 5.3.2 | 2020-02-15 | `inetLatency()` `ineChecksite()` fixed possible security issue (file://) |
| 5.3.1 | 2020-02-14 | `inetLatency()` `ineChecksite()` `servcices()` `processes()` fixed possible security issue (arrays) |
| 5.3.0 | 2020-02-12 | `osInfo()` added remoteSession (windows) |
| 5.2.7 | 2020-02-12 | `fsStats()`, `blockDevices()` improved linux |
| 5.2.6 | 2020-02-12 | `inetLatency()` fixed possible DOS intrusion |

15
docs/history.html
View File

@ -56,6 +56,21 @@
</tr>
</thead>
<tbody>
<tr>
<th scope="row">5.3.3</th>
<td>2020-02-15</td>
<td><span class="code">dockerContainerStats()</span> fix correct ID splitting</td>
</tr>
<tr>
<th scope="row">5.3.2</th>
<td>2020-02-15</td>
<td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> fix possible security issue (file://)</td>
</tr>
<tr>
<th scope="row">5.3.1</th>
<td>2020-02-14</td>
<td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> <span class="code">services()</span> <span class="code">processLoad()</span> fix possible security issue</td>
</tr>
<tr>
<th scope="row">5.3.0</th>
<td>2020-02-12</td>

8
docs/index.html
View File

@ -166,11 +166,11 @@
<body>
<header class="bg-image-full">
<div class="top-container">
<a href="security.html" class="recommendation">Security advisory:<br>Update to v5.2.6</a>
<a href="security.html" class="recommendation">Security advisory:<br>Update to v5.3.2</a>
<img class="logo" src="assets/logo.png">
<div class="title">systeminformation</div>
<div class="subtitle"><span id="typed"></span>&nbsp;</div>
<div class="version">New Version: <span id="version">5.3.0</span></div>
<div class="version">New Version: <span id="version">5.3.3</span></div>
<button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
</div>
<div class="down">
@ -201,7 +201,7 @@
</div>
<div class="row number-section">
<div class="col-xl-4 col-lg-4 col-md-4 col-12">
<div class="numbers">13,752</div>
<div class="numbers">13,833</div>
<div class="title">Lines of code</div>
</div>
<div class="col-xl-4 col-lg-4 col-md-4 col-12">
@ -209,7 +209,7 @@
<div class="title">Downloads last month</div>
</div>
<div class="col-xl-4 col-lg-4 col-md-4 col-12">
<div class="numbers">382</div>
<div class="numbers">387</div>
<div class="title">Dependents</div>
</div>
</div>

34
docs/security.html
View File

@ -43,6 +43,40 @@
<div class="col-12 sectionheader">
<div class="title">Security Advisories</div>
<div class="text">
<h2>Insufficient File Scheme Validation</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.3.2 and &lt; 4.34.12<br>
<span class="bold">Date:</span> 2021-02-15<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).</p>
<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.3.1 and &lt; 4.34.11<br>
<span class="bold">Date:</span> 2021-02-14<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.1 (or >= 4.34.11 if you are using version 4).</p>
<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
<hr>
<br>
<h2>DOS Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.2.6 and &lt; 4.34.10<br>

2
docs/v4/gettingstarted.html
View File

@ -67,7 +67,7 @@
<p>This library is supposed to be used as a <a href="https://nodejs.org/en/" rel="nofollow">node.js</a> backend/server-side library and will definilely not work within a browser.</p>
<h2>Installation (old version 4)</h2>
<pre>$ npm install systeminformation@4 —save</pre>
<pre>$ npm install systeminformation@4 —-save</pre>
<h2>Usage</h2>
<p>All functions (except <span class="code">version</span> and <span class="code">time</span>) are implemented as asynchronous functions. Here a small example how to use them:</p>
<pre><code class="js">const si = require('systeminformation');

10
docs/v4/history.html
View File

@ -83,6 +83,16 @@
</tr>
</thead>
<tbody>
<tr>
<th scope="row">4.34.12</th>
<td>2020-02-15</td>
<td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> fix possible security issue (file://)</td>
</tr>
<tr>
<th scope="row">4.34.11</th>
<td>2020-02-14</td>
<td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> <span class="code">services()</span> <span class="code">processes()</span> possible security fix</td>
</tr>
<tr>
<th scope="row">4.34.10</th>
<td>2020-02-12</td>

4
docs/v4/index.html
View File

@ -165,12 +165,12 @@
<body>
<header class="bg-image-full">
<div class="container">
<a href="security.html" class="recommendation">Security advisory:<br>Update to v4.34.10</a>
<a href="security.html" class="recommendation">Security advisory:<br>Update to v4.34.11</a>
<img class="logo" src="assets/logo.png">
<div class="title">systeminformation </div>
<div class="subtitle"><span id="typed"></span>&nbsp;</div>
<div class="version larger">Version 4 documentation</div>
<div class="version">Current Version: <span id="version">4.34.10</span></div>
<div class="version">Current Version: <span id="version">4.34.12</span></div>
<button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
</div>
<div class="down">

47
docs/v4/security.html
View File

@ -42,6 +42,40 @@
<div class="col-12 sectionheader">
<div class="title">Security Advisories</div>
<div class="text">
<h2>Insufficient File Scheme Validation</h2>
<p><span class="bold">Affected versions:</span>
4.34.12<br>
<span class="bold">Date:</span> 2021-02-15<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.12 if you are using version 4.</p>
<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.11<br>
<span class="bold">Date:</span> 2021-02-14<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.11 if you are using version 4.</p>
<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
<hr>
<br>
<h2>DOS Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.10<br>
@ -57,7 +91,8 @@
<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span> (no spaces)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
< 4.31.1<br>
@ -73,9 +108,9 @@
<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p>
<h2>command injection vulnerability - prototype pollution</h2>
<hr>
<br>
<h2>Command Injection Vulnerability - prototype pollution</h2>
<p><span class="bold">Affected versions:</span>
< 4.30.5<br>
<span class="bold">Date:</span> 2020-11-26<br>
@ -90,8 +125,8 @@
<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
< 4.27.11<br>

64
lib/docker.js
View File

@ -109,6 +109,9 @@ function dockerContainers(all, callback) {
callback = all;
all = false;
}
if (typeof all !== 'boolean' && all !== undefined) {
all = false;
}
all = all || false;
let result = [];
@ -185,16 +188,20 @@ function dockerContainers(all, callback) {
// container inspect (for one container)
function dockerContainerInspect(containerID, payload) {
containerID = containerID || '';
return new Promise((resolve) => {
process.nextTick(() => {
if (containerID) {
containerID = containerID || '';
if (typeof containerID !== 'string') {
resolve();
}
const containerIdSanitized = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerID, true)).trim();
if (containerIdSanitized) {
if (!_docker_socket) {
_docker_socket = new DockerSocket();
}
_docker_socket.getInspect(containerID.trim(), data => {
_docker_socket.getInspect(containerIdSanitized.trim(), data => {
try {
resolve({
id: payload.Id,
@ -325,19 +332,39 @@ function docker_calcBlockIO(blkio_stats) {
function dockerContainerStats(containerIDs, callback) {
let containerArray = [];
// fallback - if only callback is given
if (util.isFunction(containerIDs) && !callback) {
callback = containerIDs;
containerArray = ['*'];
} else {
containerIDs = containerIDs || '*';
containerIDs = containerIDs.trim().toLowerCase().replace(/,+/g, '|');
containerArray = containerIDs.split('|');
}
return new Promise((resolve) => {
process.nextTick(() => {
// fallback - if only callback is given
if (util.isFunction(containerIDs) && !callback) {
callback = containerIDs;
containerArray = ['*'];
} else {
containerIDs = containerIDs || '*';
if (typeof containerIDs !== 'string') {
if (callback) { callback([]); }
return resolve([]);
}
let containerIDsSanitized = '';
containerIDsSanitized.__proto__.toLowerCase = util.stringToLower;
containerIDsSanitized.__proto__.replace = util.stringReplace;
containerIDsSanitized.__proto__.trim = util.stringTrim;
const s = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerIDs, true)).trim();
for (let i = 0; i <= 2000; i++) {
if (!(s[i] === undefined)) {
s[i].__proto__.toLowerCase = util.stringToLower;
const sl = s[i].toLowerCase();
if (sl && sl[0] && !sl[1]) {
containerIDsSanitized = containerIDsSanitized + sl[0];
}
}
}
containerIDsSanitized = containerIDsSanitized.trim().toLowerCase().replace(/,+/g, '|');
containerArray = containerIDsSanitized.split('|');
}
const result = [];
const workload = [];
@ -444,17 +471,22 @@ exports.dockerContainerStats = dockerContainerStats;
// container processes (for one container)
function dockerContainerProcesses(containerID, callback) {
containerID = containerID || '';
let result = [];
return new Promise((resolve) => {
process.nextTick(() => {
if (containerID) {
containerID = containerID || '';
if (typeof containerID !== 'string') {
resolve(result);
}
const containerIdSanitized = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerID, true)).trim();
if (containerIdSanitized) {
if (!_docker_socket) {
_docker_socket = new DockerSocket();
}
_docker_socket.getProcesses(containerID, data => {
_docker_socket.getProcesses(containerIdSanitized, data => {
/**
* @namespace
* @property {Array} Titles

14
lib/internet.js
View File

@ -40,7 +40,7 @@ function inetChecksite(url, callback) {
status: 404,
ms: null
};
if (typeof url !== "string") {
if (typeof url !== 'string') {
if (callback) { callback(result); }
return resolve(result);
}
@ -58,6 +58,11 @@ function inetChecksite(url, callback) {
result.url = urlSanitized;
try {
if (urlSanitized && !util.isPrototypePolluted()) {
urlSanitized.__proto__.startsWith = util.stringStartWith;
if (urlSanitized.startsWith('file:')) {
if (callback) { callback(result); }
return resolve(result);
}
let t = Date.now();
if (_linux || _freebsd || _openbsd || _netbsd || _darwin || _sunos) {
let args = ' -I --connect-timeout 5 -m 5 ' + urlSanitized + ' 2>/dev/null | head -n 1 | cut -d " " -f2';
@ -131,7 +136,7 @@ function inetLatency(host, callback) {
return new Promise((resolve) => {
process.nextTick(() => {
if (typeof host !== "string") {
if (typeof host !== 'string') {
if (callback) { callback(null); }
return resolve(null);
}
@ -146,6 +151,11 @@ function inetLatency(host, callback) {
}
}
}
hostSanitized.__proto__.startsWith = util.stringStartWith;
if (hostSanitized.startsWith('file:')) {
if (callback) { callback(null); }
return resolve(null);
}
let params;
let filt;
if (_linux || _freebsd || _openbsd || _netbsd || _darwin) {

28
lib/network.js
View File

@ -973,19 +973,29 @@ function calcNetworkSpeed(iface, rx_bytes, tx_bytes, operstate, rx_dropped, rx_e
function networkStats(ifaces, callback) {
let ifacesArray = [];
// fallback - if only callback is given
if (util.isFunction(ifaces) && !callback) {
callback = ifaces;
ifacesArray = [getDefaultNetworkInterface()];
} else {
ifaces = ifaces || getDefaultNetworkInterface();
ifaces = ifaces.trim().toLowerCase().replace(/,+/g, '|');
ifacesArray = ifaces.split('|');
}
return new Promise((resolve) => {
process.nextTick(() => {
// fallback - if only callback is given
if (util.isFunction(ifaces) && !callback) {
callback = ifaces;
ifacesArray = [getDefaultNetworkInterface()];
} else {
if (typeof ifaces !== 'string' && ifaces !== undefined) {
if (callback) { callback([]); }
return resolve([]);
}
ifaces = ifaces || getDefaultNetworkInterface();
ifaces.__proto__.toLowerCase = util.stringToLower;
ifaces.__proto__.replace = util.stringReplace;
ifaces.__proto__.trim = util.stringTrim;
ifaces = ifaces.trim().toLowerCase().replace(/,+/g, '|');
ifacesArray = ifaces.split('|');
}
const result = [];
const workload = [];

22
lib/poc.js Normal file
View File

@ -0,0 +1,22 @@
let si = require('./internet');
si.inetChecksite([]).then((a) => {
if (a.ok == false)
console.log("inetChecksite is fixed!")
else
console.log("inetChecksite is not fixed!")
});
si.inetLatency([]).then((a) => {
if (a == null)
console.log("inetLatency is fixed!")
else
console.log("inetLatency is not fixed!")
});
si = require('./processes');
si.services([]).then((a) => {
if (typeof a == typeof [])
console.log("services is fixed!")
else
console.log("services is not fixed!")
});

9
lib/processes.js
View File

@ -99,7 +99,7 @@ function services(srv, callback) {
return new Promise((resolve) => {
process.nextTick(() => {
if (typeof srv !== "string") {
if (typeof srv !== 'string') {
if (callback) { callback([]); }
return resolve([]);
}
@ -892,6 +892,13 @@ function processLoad(proc, callback) {
return new Promise((resolve) => {
process.nextTick(() => {
proc = proc || '';
if (typeof proc !== 'string') {
if (callback) { callback([]); }
return resolve([]);
}
let processesString = '';
processesString.__proto__.toLowerCase = util.stringToLower;
processesString.__proto__.replace = util.stringReplace;

3
lib/util.js
View File

@ -57,6 +57,7 @@ const stringToLower = new String().toLowerCase;
const stringToString = new String().toString;
const stringSubstr = new String().substr;
const stringTrim = new String().trim;
const stringStartWith = new String().startsWith;
function isFunction(functionToCheck) {
let getType = {};
@ -528,6 +529,7 @@ function sanitizeShellString(str, strict = false) {
s[i] === '\'' ||
s[i] === '`' ||
s[i] === '"' ||
strict && s[i] === '@' ||
strict && s[i] === ' ' ||
strict && s[i] == '{' ||
strict && s[i] == ')')) {
@ -939,5 +941,6 @@ exports.stringToLower = stringToLower;
exports.stringToString = stringToString;
exports.stringSubstr = stringSubstr;
exports.stringTrim = stringTrim;
exports.stringStartWith = stringStartWith;
exports.WINDIR = WINDIR;
exports.getFilesInPath = getFilesInPath;

2
package.json
View File

@ -1,6 +1,6 @@
{
"name": "systeminformation",
"version": "5.3.0",
"version": "5.3.3",
"description": "Simple system and OS information library",
"license": "MIT",
"author": "Sebastian Hildebrandt <hildebrandt@plus-innovations.com> (https://plus-innovations.com)",