inetLatency() fixed possible DOS intrusion

CHANGELOG.md

@@ -72,6 +72,7 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page.
 
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
+| 5.2.6          | 2020-02-12     | `inetLatency()` fixed possible DOS intrusion |
 | 5.2.5          | 2020-02-11     | `processes()` fixed truncated params (linux) |
 | 5.2.4          | 2020-02-11     | `currentLoad()` fixed issue |
 | 5.2.3          | 2020-02-11     | `diskLayout()` added USB drives (mac OS) |

docs/history.html

@@ -56,6 +56,11 @@
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">5.2.6</th>
+                    <td>2020-02-12</td>
+                    <td><span class="code">inetLatency()</span> fix DOS vulnerability</td>
+                  </tr>
                   <tr>
                     <th scope="row">5.2.5</th>
                     <td>2020-02-11</td>

docs/index.html

@@ -166,7 +166,7 @@
 <body>
   <header class="bg-image-full">
     <div class="top-container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v4.31.1</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.2.6</a>
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span>&nbsp;</div>

docs/security.html

@@ -43,9 +43,25 @@
           <div class="col-12 sectionheader">
             <div class="title">Security Advisories</div>
             <div class="text">
+              <h2>DOS Injection Vulnerability</h2>
+              <p><span class="bold">Affected versions:</span>
+                &lt; 5.2.6 and &lt; 4.34.10<br>
+                <span class="bold">Date:</span> 2021-02-12<br>
+                <span class="bold">CVE indentifier</span> -
+              </p>
+
+              <h4>Impact</h4>
+              <p>Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: <span class="code">inetLatency()</span>.</p>
+
+              <h4>Patch</h4>
+              <p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 5.2.6 (or >= 4.34.10 if you are using version 4).</p>
+
+              <h4>Workarround</h4>
+              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span> (no spaces)</p>
+
               <h2>Command Injection Vulnerability</h2>
               <p><span class="bold">Affected versions:</span>
-                < 4.31.1<br>
+                &lt; 4.31.1<br>
                 <span class="bold">Date:</span> 2020-12-11<br>
                 <span class="bold">CVE indentifier</span> CVE-2020-26274, CVE-2020-28448
               </p>
@@ -59,10 +75,9 @@
               <h4>Workarround</h4>
               <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p>
 
-
               <h2>command injection vulnerability - prototype pollution</h2>
               <p><span class="bold">Affected versions:</span>
-                < 4.30.5<br>
+                &lt; 4.30.5<br>
                 <span class="bold">Date:</span> 2020-11-26<br>
                 <span class="bold">CVE indentifier</span> CVE-2020-26245
               </p>
@@ -79,7 +94,7 @@
 
               <h2>Command Injection Vulnerability</h2>
               <p><span class="bold">Affected versions:</span>
-                < 4.27.11<br>
+                &lt; 4.27.11<br>
                 <span class="bold">Date:</span> 2020-10-26<br>
                 <span class="bold">CVE indentifier</span> CVE-2020-7752
               </p>

docs/v4/index.html

@@ -165,12 +165,12 @@
 <body>
   <header class="bg-image-full">
     <div class="container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v4.31.1</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v4.34.10</a>
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation </div>
       <div class="subtitle"><span id="typed"></span>&nbsp;</div>
       <div class="version larger">Version 4 documentation</div>
-      <div class="version">Current Version: <span id="version">4.34.9</span></div>
+      <div class="version">Current Version: <span id="version">4.34.10</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">

docs/v4/security.html

@@ -42,6 +42,22 @@
           <div class="col-12 sectionheader">
             <div class="title">Security Advisories</div>
             <div class="text">
+              <h2>DOS Injection Vulnerability</h2>
+              <p><span class="bold">Affected versions:</span>
+                &lt; 4.34.10<br>
+                <span class="bold">Date:</span> 2021-02-12<br>
+                <span class="bold">CVE indentifier</span> -
+              </p>
+
+              <h4>Impact</h4>
+              <p>Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: <span class="code">inetLatency()</span>.</p>
+
+              <h4>Patch</h4>
+              <p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.34.10 if you are using version 4.</p>
+
+              <h4>Workarround</h4>
+              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span> (no spaces)</p>
+
               <h2>Command Injection Vulnerability</h2>
               <p><span class="bold">Affected versions:</span>
                 < 4.31.1<br>

lib/internet.js

@@ -35,12 +35,9 @@ function inetChecksite(url, callback) {
   return new Promise((resolve) => {
     process.nextTick(() => {
       let urlSanitized = '';
-      const s = util.sanitizeShellString(url);
+      const s = util.sanitizeShellString(url, true);
       for (let i = 0; i <= 2000; i++) {
-        if (!(s[i] === undefined ||
-          s[i] === ' ' ||
-          s[i] === '{' ||
-          s[i] === '}')) {
+        if (!(s[i] === undefined)) {
           s[i].__proto__.toLowerCase = util.stringToLower;
           const sl = s[i].toLowerCase();
           if (sl && sl[0] && !sl[1]) {
@@ -126,7 +123,18 @@ function inetLatency(host, callback) {
   }
 
   host = host || '8.8.8.8';
-  const hostSanitized = (util.isPrototypePolluted() ? '8.8.8.8' : util.sanitizeShellString(host)).trim();
+  let hostSanitized = '';
+  const s = (util.isPrototypePolluted() ? '8.8.8.8' : util.sanitizeShellString(host, true)).trim();
+  for (let i = 0; i <= 2000; i++) {
+    if (!(s[i] === undefined)) {
+
+      s[i].__proto__.toLowerCase = util.stringToLower;
+      const sl = s[i].toLowerCase();
+      if (sl && sl[0] && !sl[1]) {
+        hostSanitized = hostSanitized + sl[0];
+      }
+    }
+  }
 
   return new Promise((resolve) => {
     process.nextTick(() => {

lib/util.js

@@ -502,7 +502,7 @@ function countLines(lines, startingWith) {
   return uniqueLines.length;
 }
 
-function sanitizeShellString(str) {
+function sanitizeShellString(str, strict = false) {
   const s = str || '';
   let result = '';
   for (let i = 0; i <= 2000; i++) {
@@ -527,7 +527,10 @@ function sanitizeShellString(str) {
       s[i] === '\n' ||
       s[i] === '\'' ||
       s[i] === '`' ||
-      s[i] === '"')) {
+      s[i] === '"' ||
+      strict && s[i] === ' ' ||
+      strict && s[i] == '{' ||
+      strict && s[i] == ')')) {
       result = result + s[i];
     }
   }