Summary / 概述
Multiple command injection vulnerabilities found in git operations due to string concatenation in shell commands.
由于在shell命令中使用字符串拼接,发现了多个命令注入漏洞。
Vulnerability Details / 漏洞详情
Location 1 / 位置 1: plugins/worktree.ts
Lines / 行号: 90, 132, 143, 231
execSync(`git worktree add "${worktreePath}" -b "${branch}" "${base}"`, {...});
execAsync(`git worktree remove ${force ? "--force " : ""}"${worktreePath}"`, {...});
execAsync(`git branch -D "${branch}"`, {...});
execSync(`git branch -m "${oldBranch}" "${newBranch}"`, {...});
Risk / 风险: If sessionId or newName contains special characters (like ", $, or backticks), it could lead to command injection.
如果 sessionId 或 newName 包含特殊字符(如 "、$ 或反引号),可能导致命令注入。
Location 2 / 位置 2: plugins/api.ts
Line / 行号: 404
exec(`explorer "${dirPath}"`);
Risk / 风险: If dirPath contains malicious characters, it could execute arbitrary commands.
如果 dirPath 包含恶意字符,可能执行任意命令。
Impact / 影响
- High / 高危: An attacker could execute arbitrary system commands / 攻击者可执行任意系统命令
- Medium / 中危: Could lead to data theft, system compromise, or denial of service / 可能导致数据泄露、系统被入侵或拒绝服务
Proof of Concept / 概念验证
A malicious session ID like test"; rm -rf / # could potentially execute destructive commands.
恶意的session ID如 test"; rm -rf / # 可能执行破坏性命令。
Recommended Fix / 修复建议
Option 1 / 方案 1: Use Array Parameters (Preferred) / 使用数组参数(推荐)
// Instead of / 而不是:
execSync(`git worktree add "${worktreePath}" -b "${branch}" "${base}"`, {...});
// Use / 使用:
execFileSync('git', ['worktree', 'add', worktreePath, '-b', branch, base], {...});
Option 2 / 方案 2: Use Shell Escape Library / 使用Shell转义库
import shellescape from 'shell-escape';
const args = shellescape(['git', 'worktree', 'add', worktreePath, '-b', branch, base]);
execSync(args, {...});
Option 3 / 方案 3: Strict Input Validation / 严格输入验证
function validateSessionId(sessionId: string): void {
if (!/^[a-zA-Z0-9_-]+$/.test(sessionId)) {
throw new Error('Invalid session ID: only alphanumeric, underscore, and hyphen allowed');
throw new Error('无效的session ID:只允许字母、数字、下划线和连字符');
}
}
Affected Files / 受影响文件
plugins/worktree.ts (lines 90, 132, 143, 231)
plugins/api.ts (line 404)
Priority / 优先级
High / 高危 - Should be fixed immediately / 应立即修复
Labels / 标签
security
vulnerability
high-priority
Summary / 概述
Multiple command injection vulnerabilities found in git operations due to string concatenation in shell commands.
由于在shell命令中使用字符串拼接,发现了多个命令注入漏洞。
Vulnerability Details / 漏洞详情
Location 1 / 位置 1:
plugins/worktree.tsLines / 行号: 90, 132, 143, 231
Risk / 风险: If
sessionIdornewNamecontains special characters (like",$, or backticks), it could lead to command injection.如果
sessionId或newName包含特殊字符(如"、$或反引号),可能导致命令注入。Location 2 / 位置 2:
plugins/api.tsLine / 行号: 404
Risk / 风险: If
dirPathcontains malicious characters, it could execute arbitrary commands.如果
dirPath包含恶意字符,可能执行任意命令。Impact / 影响
Proof of Concept / 概念验证
A malicious session ID like
test"; rm -rf / #could potentially execute destructive commands.恶意的session ID如
test"; rm -rf / #可能执行破坏性命令。Recommended Fix / 修复建议
Option 1 / 方案 1: Use Array Parameters (Preferred) / 使用数组参数(推荐)
Option 2 / 方案 2: Use Shell Escape Library / 使用Shell转义库
Option 3 / 方案 3: Strict Input Validation / 严格输入验证
Affected Files / 受影响文件
plugins/worktree.ts(lines 90, 132, 143, 231)plugins/api.ts(line 404)Priority / 优先级
High / 高危 - Should be fixed immediately / 应立即修复
Labels / 标签
securityvulnerabilityhigh-priority