local-devices mislabeled as code-injection

[ericcornelissen]

The vulnerability in [email protected] is mislabeled as code injection while it is actually command injection. The listed code location points to an call to child_process.exec in:

/**
 * Reads the arp table for a single address.
 */
function arpOne (address) {
  return cp.exec('arp -n ' + address).then(parseOne)
}

Also, the Proof of Concept has a command injection payload and not a code injection payload.

[cristianstaicu]

I agree with you, however Snyk labeled this vulnerability as code injection at the time (https://security.snyk.io/vuln/SNYK-JS-LOCALDEVICES-459898), so we decided to keep this label. Did you find any other such entry in the dataset? I am considering moving it, as you suggested, into the command-injection folder.

[ericcornelissen]

I agree with you, however Snyk labeled this vulnerability as code injection at the time (security.snyk.io/vuln/SNYK-JS-LOCALDEVICES-459898), so we decided to keep this label.

I see, though their own description disagrees:

The package does not validate input on ip addresses and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

and the GHA entry does label it as command injection, see GHSA-w725-67p7-xv22

Did you find any other such entry in the dataset?

So far not. I will probably only be evaluating the code injections and have reached (in the GitHub directory order) up to and including mosc_1.0.0.

[ericcornelissen]

Another case: open, see:

SecBench.js/code-injection/open_0.0.5/open.test.js

Line 14 in bc31562

require("open")('""`touch open`', () => {

---

• Snyk (misleading): https://security.snyk.io/vuln/SNYK-JS-OPEN-174041
• GHSA (correct): GHSA-28xh-wpgr-7fm8
• Sink location source:

  SecBench.js/test_sink_location.txt

  Line 36 in bc31562

  open_0.0.5 /Users/masudulhasanmasudbhuiyan/Music/vulns4js/ace-breakout/node_modules/open/lib/open.js lib/open.js:58:10

• Sink location: https://github.com/pwnall/node-open/blob/2d20d7c8946b2da243a59d9c727953bf06d77611/lib/open.js#L58

[ericcornelissen]

Another case: wifiscanner, see:

SecBench.js/code-injection/wifiscanner_1.0.1/wifiscanner.test.js

Line 9 in bc31562

binaryPath: "touch",

---

• Snyk (misleading): https://security.snyk.io/vuln/SNYK-JS-WIFISCANNER-574786
• GHSA (mostly correct): GHSA-m6rw-m2v9-7hx4
• Sink location source:

  SecBench.js/test_sink_location.txt

  Line 30 in bc31562

  wifiscanner_1.0.1 /Users/masudulhasanmasudbhuiyan/Music/vulns4js/ace-breakout/node_modules/wifiscanner/scanners/wifiscanner.js scanners/wifiscanner.js:12:22

• Sink location: https://github.com/thingsSDK/wifiscanner/blob/9695ed53fba4e1b7a56a918c009cba07ead8a5a4/scanners/wifiscanner.js#L12

[ericcornelissen]

That's all entries in code-injection that are mislabeled from what I can tell.

Overview

• local-devices
• open
• wifiscanner