This issue was discovered by Peter Teven. This is a XSS issue. You can inject arbitrary HTML code in the repository listing via lockfile. This can be used for phishing, SQL injection, etc. You can find more information about this issue here. In the following example, we are going to inject ';alert(‘XSS');' in the master branch of the 'ljharb/npm-lockfile' repository. The command injection happens in the `$>` prompt. To get a better understanding of this issue, let’s take a look at the lockfile listing of the 'ljharb/npm-lockfile' GitHub repository. Here is a sample lockfile listing. You can see that the lockfile listing is being displayed as a plain text (HTML) file. This means that GitHub user ‘ljharb’ has enabled the ‘Public read’ option for the lockfile listing. This can be changed by following these steps. Go to settings page of your GitHub account. Click on ‘Account settings’ option. In the ‘View settings’ section, click on ‘Public read’ option. After following these steps, you need to change the ‘Public read’ option to ‘Off’. Now let’s take a look at the vulnerable code. You can see that ‘$>`’ prompt is being displayed
The vulnerable code:
$> ls
-rw-r--r-- ljharb/node_modules/optparse/0.10.0-pre/package.json
ls: cannot access ljharb/node_modules/optparse/0.10.0-pre/package.json: No such file or directory
$> echo '
Approach to Fixing the Vulnerability
In order to fix this vulnerability, you need to make sure that ‘Public read’ option is set to ‘Off’.
In order to do so, follow these steps:
Timeline
Published on: 03/03/2022 16:15:00 UTC
Last modified on: 03/09/2022 21:44:00 UTC