Skip to content

🔒 Security: Command Injection Vulnerability in Git Operations / Git操作中的命令注入漏洞 #7

Description

@ACCSCI

Summary / 概述

Multiple command injection vulnerabilities found in git operations due to string concatenation in shell commands.
由于在shell命令中使用字符串拼接,发现了多个命令注入漏洞。

Vulnerability Details / 漏洞详情

Location 1 / 位置 1: plugins/worktree.ts

Lines / 行号: 90, 132, 143, 231

execSync(`git worktree add "${worktreePath}" -b "${branch}" "${base}"`, {...});
execAsync(`git worktree remove ${force ? "--force " : ""}"${worktreePath}"`, {...});
execAsync(`git branch -D "${branch}"`, {...});
execSync(`git branch -m "${oldBranch}" "${newBranch}"`, {...});

Risk / 风险: If sessionId or newName contains special characters (like ", $, or backticks), it could lead to command injection.
如果 sessionIdnewName 包含特殊字符(如 "$ 或反引号),可能导致命令注入。

Location 2 / 位置 2: plugins/api.ts

Line / 行号: 404

exec(`explorer "${dirPath}"`);

Risk / 风险: If dirPath contains malicious characters, it could execute arbitrary commands.
如果 dirPath 包含恶意字符,可能执行任意命令。

Impact / 影响

  • High / 高危: An attacker could execute arbitrary system commands / 攻击者可执行任意系统命令
  • Medium / 中危: Could lead to data theft, system compromise, or denial of service / 可能导致数据泄露、系统被入侵或拒绝服务

Proof of Concept / 概念验证

A malicious session ID like test"; rm -rf / # could potentially execute destructive commands.
恶意的session ID如 test"; rm -rf / # 可能执行破坏性命令。

Recommended Fix / 修复建议

Option 1 / 方案 1: Use Array Parameters (Preferred) / 使用数组参数(推荐)

// Instead of / 而不是:
execSync(`git worktree add "${worktreePath}" -b "${branch}" "${base}"`, {...});

// Use / 使用:
execFileSync('git', ['worktree', 'add', worktreePath, '-b', branch, base], {...});

Option 2 / 方案 2: Use Shell Escape Library / 使用Shell转义库

import shellescape from 'shell-escape';

const args = shellescape(['git', 'worktree', 'add', worktreePath, '-b', branch, base]);
execSync(args, {...});

Option 3 / 方案 3: Strict Input Validation / 严格输入验证

function validateSessionId(sessionId: string): void {
  if (!/^[a-zA-Z0-9_-]+$/.test(sessionId)) {
    throw new Error('Invalid session ID: only alphanumeric, underscore, and hyphen allowed');
    throw new Error('无效的session ID:只允许字母、数字、下划线和连字符');
  }
}

Affected Files / 受影响文件

  • plugins/worktree.ts (lines 90, 132, 143, 231)
  • plugins/api.ts (line 404)

Priority / 优先级

High / 高危 - Should be fixed immediately / 应立即修复

Labels / 标签

  • security
  • vulnerability
  • high-priority

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions