mirror of https://github.com/google/oss-fuzz.git
36 lines
1.3 KiB
JavaScript
36 lines
1.3 KiB
JavaScript
/*
|
|
* Copyright 2022 Google LLC
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
/* Exploit shell quote with fuzzer's input as a parameter of echo.
|
|
* This PoC is extended from a report in GitHub Advisory Database:
|
|
* https://github.com/advisories/GHSA-g4rg-993r-mgx7
|
|
* The original report records a shell injection exploit in shell-quote v1.7.2,
|
|
* we show that a similar shell corruption exploit still persists in v1.7.3,
|
|
* after a commit that intends to fix the original exploit.
|
|
* */
|
|
|
|
/* Fuzz the target program with buf generated by Jsfuzz. */
|
|
function fuzz(buf) {
|
|
buf = String(buf)
|
|
const childProcess = require('child_process');
|
|
const shellQuote = require('shell-quote');
|
|
childProcess.execSync(shellQuote.quote(['echo', buf]));
|
|
}
|
|
|
|
/* Run Jsfuzz. */
|
|
module.exports = {
|
|
fuzz
|
|
};
|