Merge pull request #6 from EffectRenan/master

Fix Server-Side Request Forgery vulnerability
2021-02-20 12:54:30 +00:00 · 2021-02-20 12:54:30 +00:00 · 0e03d7cf77
commit 0e03d7cf77
parent 74f5164c4c e64cb03654
15 changed files with 223 additions and 42 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -72,6 +72,9 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page.
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
 | 5.3.3          | 2020-02-15     | `dockerContainerStats()` fixed ID splitting |
 | 5.3.2          | 2020-02-15     | `inetLatency()` `ineChecksite()` fixed possible security issue (file://) |
 | 5.3.1          | 2020-02-14     | `inetLatency()` `ineChecksite()` `servcices()` `processes()` fixed possible security issue (arrays) |
 | 5.3.0          | 2020-02-12     | `osInfo()` added remoteSession (windows) |
 | 5.2.7          | 2020-02-12     | `fsStats()`, `blockDevices()` improved linux |
 | 5.2.6          | 2020-02-12     | `inetLatency()` fixed possible DOS intrusion |
--- a/docs/history.html
+++ b/docs/history.html
@ -56,6 +56,21 @@
                  </tr>
                </thead>
                <tbody>
                  <tr>
                    <th scope="row">5.3.3</th>
                    <td>2020-02-15</td>
                    <td><span class="code">dockerContainerStats()</span> fix correct ID splitting</td>
                  </tr>
                  <tr>
                    <th scope="row">5.3.2</th>
                    <td>2020-02-15</td>
                    <td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> fix possible security issue (file://)</td>
                  </tr>
                  <tr>
                    <th scope="row">5.3.1</th>
                    <td>2020-02-14</td>
                    <td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> <span class="code">services()</span> <span class="code">processLoad()</span> fix possible security issue</td>
                  </tr>
                  <tr>
                    <th scope="row">5.3.0</th>
                    <td>2020-02-12</td>
--- a/docs/index.html
+++ b/docs/index.html
@ -166,11 +166,11 @@
 <body>
  <header class="bg-image-full">
    <div class="top-container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.2.6</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.3.2</a>
      <img class="logo" src="assets/logo.png">
      <div class="title">systeminformation</div>
      <div class="subtitle"><span id="typed"></span>&nbsp;</div>
-      <div class="version">New Version: <span id="version">5.3.0</span></div>
+      <div class="version">New Version: <span id="version">5.3.3</span></div>
      <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
    </div>
    <div class="down">
@ -201,7 +201,7 @@
    </div>
    <div class="row number-section">
      <div class="col-xl-4 col-lg-4 col-md-4 col-12">
-        <div class="numbers">13,752</div>
+        <div class="numbers">13,833</div>
        <div class="title">Lines of code</div>
      </div>
      <div class="col-xl-4 col-lg-4 col-md-4 col-12">
@ -209,7 +209,7 @@
        <div class="title">Downloads last month</div>
      </div>
      <div class="col-xl-4 col-lg-4 col-md-4 col-12">
-        <div class="numbers">382</div>
+        <div class="numbers">387</div>
        <div class="title">Dependents</div>
      </div>
    </div>
--- a/docs/security.html
+++ b/docs/security.html
@ -43,6 +43,40 @@
          <div class="col-12 sectionheader">
            <div class="title">Security Advisories</div>
            <div class="text">
              <h2>Insufficient File Scheme Validation</h2>
              <p><span class="bold">Affected versions:</span>
                &lt; 5.3.2 and &lt; 4.34.12<br>
                <span class="bold">Date:</span> 2021-02-15<br>
                <span class="bold">CVE indentifier</span> -
              </p>
              <h4>Impact</h4>
              <p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
              <h4>Patch</h4>
              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).</p>
              <h4>Workarround</h4>
              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
              <hr>
              <br>
              <h2>Command Injection Vulnerability</h2>
              <p><span class="bold">Affected versions:</span>
                &lt; 5.3.1 and &lt; 4.34.11<br>
                <span class="bold">Date:</span> 2021-02-14<br>
                <span class="bold">CVE indentifier</span> -
              </p>
              <h4>Impact</h4>
              <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
              <h4>Patch</h4>
              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.1 (or >= 4.34.11 if you are using version 4).</p>
              <h4>Workarround</h4>
              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
              <hr>
              <br>
              <h2>DOS Injection Vulnerability</h2>
              <p><span class="bold">Affected versions:</span>
                &lt; 5.2.6 and &lt; 4.34.10<br>
--- a/docs/v4/gettingstarted.html
+++ b/docs/v4/gettingstarted.html
@ -67,7 +67,7 @@
              <p>This library is supposed to be used as a <a href="https://nodejs.org/en/" rel="nofollow">node.js</a> backend/server-side library and will definilely not work within a browser.</p>
              <h2>Installation (old version 4)</h2>
-              <pre>$ npm install systeminformation@4 —save</pre>
+              <pre>$ npm install systeminformation@4 —-save</pre>
              <h2>Usage</h2>
              <p>All functions (except <span class="code">version</span> and <span class="code">time</span>) are implemented as asynchronous functions. Here a small example how to use them:</p>
              <pre><code class="js">const si = require('systeminformation');
--- a/docs/v4/history.html
+++ b/docs/v4/history.html
@ -83,6 +83,16 @@
                  </tr>
                </thead>
                <tbody>
                  <tr>
                    <th scope="row">4.34.12</th>
                    <td>2020-02-15</td>
                    <td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> fix possible security issue (file://)</td>
                  </tr>
                  <tr>
                    <th scope="row">4.34.11</th>
                    <td>2020-02-14</td>
                    <td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> <span class="code">services()</span> <span class="code">processes()</span> possible security fix</td>
                  </tr>
                  <tr>
                    <th scope="row">4.34.10</th>
                    <td>2020-02-12</td>
--- a/docs/v4/index.html
+++ b/docs/v4/index.html
@ -165,12 +165,12 @@
 <body>
  <header class="bg-image-full">
    <div class="container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v4.34.10</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v4.34.11</a>
      <img class="logo" src="assets/logo.png">
      <div class="title">systeminformation </div>
      <div class="subtitle"><span id="typed"></span>&nbsp;</div>
      <div class="version larger">Version 4 documentation</div>
-      <div class="version">Current Version: <span id="version">4.34.10</span></div>
+      <div class="version">Current Version: <span id="version">4.34.12</span></div>
      <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
    </div>
    <div class="down">
--- a/docs/v4/security.html
+++ b/docs/v4/security.html
@ -42,6 +42,40 @@
          <div class="col-12 sectionheader">
            <div class="title">Security Advisories</div>
            <div class="text">
              <h2>Insufficient File Scheme Validation</h2>
              <p><span class="bold">Affected versions:</span>
                4.34.12<br>
                <span class="bold">Date:</span> 2021-02-15<br>
                <span class="bold">CVE indentifier</span> -
              </p>
              <h4>Impact</h4>
              <p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
              <h4>Patch</h4>
              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.12 if you are using version 4.</p>
              <h4>Workarround</h4>
              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
              <hr>
              <br>
              <h2>Command Injection Vulnerability</h2>
              <p><span class="bold">Affected versions:</span>
                &lt; 4.34.11<br>
                <span class="bold">Date:</span> 2021-02-14<br>
                <span class="bold">CVE indentifier</span> -
              </p>
              <h4>Impact</h4>
              <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
              <h4>Patch</h4>
              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.11 if you are using version 4.</p>
              <h4>Workarround</h4>
              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
              <hr>
              <br>
              <h2>DOS Injection Vulnerability</h2>
              <p><span class="bold">Affected versions:</span>
                &lt; 4.34.10<br>
@ -57,7 +91,8 @@
              <h4>Workarround</h4>
              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span> (no spaces)</p>
-
+              <hr>
              <br>
              <h2>Command Injection Vulnerability</h2>
              <p><span class="bold">Affected versions:</span>
                < 4.31.1<br>
@ -73,9 +108,9 @@
              <h4>Workarround</h4>
              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p>
-
+              <hr>
-
+              <br>
-              <h2>command injection vulnerability - prototype pollution</h2>
+              <h2>Command Injection Vulnerability - prototype pollution</h2>
              <p><span class="bold">Affected versions:</span>
                < 4.30.5<br>
                  <span class="bold">Date:</span> 2020-11-26<br>
@ -90,8 +125,8 @@
              <h4>Workarround</h4>
              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>
-
+              <hr>
-
+              <br>
              <h2>Command Injection Vulnerability</h2>
              <p><span class="bold">Affected versions:</span>
                < 4.27.11<br>
--- a/lib/docker.js
+++ b/lib/docker.js
@ -109,6 +109,9 @@ function dockerContainers(all, callback) {
    callback = all;
    all = false;
  }
  if (typeof all !== 'boolean' && all !== undefined) {
    all = false;
  }
  all = all || false;
  let result = [];
@ -185,16 +188,20 @@ function dockerContainers(all, callback) {
 // container inspect (for one container)
 function dockerContainerInspect(containerID, payload) {
  containerID = containerID || '';
  return new Promise((resolve) => {
    process.nextTick(() => {
-      if (containerID) {
+      containerID = containerID || '';
      if (typeof containerID !== 'string') {
        resolve();
      }
      const containerIdSanitized = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerID, true)).trim();
      if (containerIdSanitized) {
        if (!_docker_socket) {
          _docker_socket = new DockerSocket();
        }
-        _docker_socket.getInspect(containerID.trim(), data => {
+        _docker_socket.getInspect(containerIdSanitized.trim(), data => {
          try {
            resolve({
              id: payload.Id,
@ -325,19 +332,39 @@ function docker_calcBlockIO(blkio_stats) {
 function dockerContainerStats(containerIDs, callback) {
  let containerArray = [];
  // fallback - if only callback is given
  if (util.isFunction(containerIDs) && !callback) {
    callback = containerIDs;
    containerArray = ['*'];
  } else {
    containerIDs = containerIDs || '*';
    containerIDs = containerIDs.trim().toLowerCase().replace(/,+/g, '|');
    containerArray = containerIDs.split('|');
  }
  return new Promise((resolve) => {
    process.nextTick(() => {
      // fallback - if only callback is given
      if (util.isFunction(containerIDs) && !callback) {
        callback = containerIDs;
        containerArray = ['*'];
      } else {
        containerIDs = containerIDs || '*';
        if (typeof containerIDs !== 'string') {
          if (callback) { callback([]); }
          return resolve([]);
        }
        let containerIDsSanitized = '';
        containerIDsSanitized.__proto__.toLowerCase = util.stringToLower;
        containerIDsSanitized.__proto__.replace = util.stringReplace;
        containerIDsSanitized.__proto__.trim = util.stringTrim;
        const s = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerIDs, true)).trim();
        for (let i = 0; i <= 2000; i++) {
          if (!(s[i] === undefined)) {
            s[i].__proto__.toLowerCase = util.stringToLower;
            const sl = s[i].toLowerCase();
            if (sl && sl[0] && !sl[1]) {
              containerIDsSanitized = containerIDsSanitized + sl[0];
            }
          }
        }
        containerIDsSanitized = containerIDsSanitized.trim().toLowerCase().replace(/,+/g, '|');
        containerArray = containerIDsSanitized.split('|');
      }
      const result = [];
      const workload = [];
@ -444,17 +471,22 @@ exports.dockerContainerStats = dockerContainerStats;
 // container processes (for one container)
 function dockerContainerProcesses(containerID, callback) {
  containerID = containerID || '';
  let result = [];
  return new Promise((resolve) => {
    process.nextTick(() => {
-      if (containerID) {
+      containerID = containerID || '';
      if (typeof containerID !== 'string') {
        resolve(result);
      }
      const containerIdSanitized = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerID, true)).trim();
      if (containerIdSanitized) {
        if (!_docker_socket) {
          _docker_socket = new DockerSocket();
        }
-        _docker_socket.getProcesses(containerID, data => {
+        _docker_socket.getProcesses(containerIdSanitized, data => {
          /**
           * @namespace
           * @property {Array}  Titles
--- a/lib/internet.js
+++ b/lib/internet.js
@ -40,7 +40,7 @@ function inetChecksite(url, callback) {
        status: 404,
        ms: null
      };
-      if (typeof url !== "string") {
+      if (typeof url !== 'string') {
        if (callback) { callback(result); }
        return resolve(result);
      }
@ -58,6 +58,11 @@ function inetChecksite(url, callback) {
      result.url = urlSanitized;
      try {
        if (urlSanitized && !util.isPrototypePolluted()) {
          urlSanitized.__proto__.startsWith = util.stringStartWith;
          if (urlSanitized.startsWith('file:')) {
            if (callback) { callback(result); }
            return resolve(result);
          }
          let t = Date.now();
          if (_linux || _freebsd || _openbsd || _netbsd || _darwin || _sunos) {
            let args = ' -I --connect-timeout 5 -m 5 ' + urlSanitized + ' 2>/dev/null | head -n 1 | cut -d " " -f2';
@ -131,7 +136,7 @@ function inetLatency(host, callback) {
  return new Promise((resolve) => {
    process.nextTick(() => {
-      if (typeof host !== "string") {
+      if (typeof host !== 'string') {
        if (callback) { callback(null); }
        return resolve(null);
      }
@ -146,6 +151,11 @@ function inetLatency(host, callback) {
          }
        }
      }
      hostSanitized.__proto__.startsWith = util.stringStartWith;
      if (hostSanitized.startsWith('file:')) {
        if (callback) { callback(null); }
        return resolve(null);
      }
      let params;
      let filt;
      if (_linux || _freebsd || _openbsd || _netbsd || _darwin) {
--- a/lib/network.js
+++ b/lib/network.js
@ -973,19 +973,29 @@ function calcNetworkSpeed(iface, rx_bytes, tx_bytes, operstate, rx_dropped, rx_e
 function networkStats(ifaces, callback) {
  let ifacesArray = [];
  // fallback - if only callback is given
  if (util.isFunction(ifaces) && !callback) {
    callback = ifaces;
    ifacesArray = [getDefaultNetworkInterface()];
  } else {
    ifaces = ifaces || getDefaultNetworkInterface();
    ifaces = ifaces.trim().toLowerCase().replace(/,+/g, '|');
    ifacesArray = ifaces.split('|');
  }
  return new Promise((resolve) => {
    process.nextTick(() => {
      // fallback - if only callback is given
      if (util.isFunction(ifaces) && !callback) {
        callback = ifaces;
        ifacesArray = [getDefaultNetworkInterface()];
      } else {
        if (typeof ifaces !== 'string' && ifaces !== undefined) {
          if (callback) { callback([]); }
          return resolve([]);
        }
        ifaces = ifaces || getDefaultNetworkInterface();
        ifaces.__proto__.toLowerCase = util.stringToLower;
        ifaces.__proto__.replace = util.stringReplace;
        ifaces.__proto__.trim = util.stringTrim;
        ifaces = ifaces.trim().toLowerCase().replace(/,+/g, '|');
        ifacesArray = ifaces.split('|');
      }
      const result = [];
      const workload = [];
--- a/lib/poc.js
+++ b/lib/poc.js
@ -0,0 +1,22 @@
 let si = require('./internet');
 si.inetChecksite([]).then((a) => {
  if (a.ok == false)
    console.log("inetChecksite is fixed!")
  else
    console.log("inetChecksite is not fixed!")
 });
 si.inetLatency([]).then((a) => {
  if (a == null)
    console.log("inetLatency is fixed!")
  else
    console.log("inetLatency is not fixed!")
 });
 si = require('./processes');
 si.services([]).then((a) => {
  if (typeof a == typeof [])
    console.log("services is fixed!")
  else
    console.log("services is not fixed!")
 });
--- a/lib/processes.js
+++ b/lib/processes.js
@ -99,7 +99,7 @@ function services(srv, callback) {
  return new Promise((resolve) => {
    process.nextTick(() => {
-      if (typeof srv !== "string") {
+      if (typeof srv !== 'string') {
        if (callback) { callback([]); }
        return resolve([]);
      }
@ -892,6 +892,13 @@ function processLoad(proc, callback) {
  return new Promise((resolve) => {
    process.nextTick(() => {
      proc = proc || '';
      if (typeof proc !== 'string') {
        if (callback) { callback([]); }
        return resolve([]);
      }
      let processesString = '';
      processesString.__proto__.toLowerCase = util.stringToLower;
      processesString.__proto__.replace = util.stringReplace;
--- a/lib/util.js
+++ b/lib/util.js
@ -57,6 +57,7 @@ const stringToLower = new String().toLowerCase;
 const stringToString = new String().toString;
 const stringSubstr = new String().substr;
 const stringTrim = new String().trim;
 const stringStartWith = new String().startsWith;
 function isFunction(functionToCheck) {
  let getType = {};
@ -528,6 +529,7 @@ function sanitizeShellString(str, strict = false) {
      s[i] === '\'' ||
      s[i] === '`' ||
      s[i] === '"' ||
      strict && s[i] === '@' ||
      strict && s[i] === ' ' ||
      strict && s[i] == '{' ||
      strict && s[i] == ')')) {
@ -939,5 +941,6 @@ exports.stringToLower = stringToLower;
 exports.stringToString = stringToString;
 exports.stringSubstr = stringSubstr;
 exports.stringTrim = stringTrim;
 exports.stringStartWith = stringStartWith;
 exports.WINDIR = WINDIR;
 exports.getFilesInPath = getFilesInPath;
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "systeminformation",
-  "version": "5.3.0",
+  "version": "5.3.3",
  "description": "Simple system and OS information library",
  "license": "MIT",
  "author": "Sebastian Hildebrandt <hildebrandt@plus-innovations.com> (https://plus-innovations.com)",