Security Fix for Command Injection - huntr.dev

[huntr-helper]

@Asjidkalam (https://huntr.dev/users/Asjidkalam) has fixed a potential Command Injection vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/macfromip/1/README.md

User Comments:

📊 Metadata *

Command Injection

Bounty URL: https://www.huntr.dev/bounties/1-npm-macfromip/

⚙️ Description *

Command Injection in macfromip

💻 Technical Description *

The package is vulnerable to command injection since it uses child_process.exec function and uses the user input without sanitization. The mitigation is to use execFile instead and supply the args as an array.

🐛 Proof of Concept (PoC) *

// poc.js
var a=require("macfromip");
a.getMacInLinux("& touch HACKED",function(){})

npm i macfromip # Install affected module
node poc.js #  Run the PoC

🔥 Proof of Fix (PoF) *

After applying the fix, no more code is executed, hence the issue is mitigated.

👍 User Acceptance Testing (UAT)

No breaking changes introduced. :)