node-openjtalk icon indicating copy to clipboard operation
node-openjtalk copied to clipboard
verified publisher icon hecomi

Fix Arbitary Code Execution using execFile and spawn

Open alromh87 opened this issue 5 years ago • 0 comments

openjtalk is vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in any of the key values, using the talk() fucntion.

Comand use pipe to comunicate betwen process, this was replaced with spawn to link stout to stdin.

🐛 Proof of Concept (PoC) *

  1. Install the package
  2. Check there aren't files called HACKED
  3. Execute the following js script:
var OpenJTalk = require('openjtalk');
var mei = new OpenJTalk();
mei.talk(' "; touch HACKED; #//');
  1. It will create a file HACKED in the working directory.

After fix no HACKED file is created

Commands can be executed normally, and audio fles are correctly erased

alromh87 avatar Sep 26 '20 16:09 alromh87