CVE-2019-5485: Node Package Manager Webhook (gitlabhook) Vulnerable to Arbitrary Command Injection

Introduction

According to its website, the Node Package Manager (NPM) is the world’s largest software registry, and one of the packages NPM manages is the Javascript language. GitLab, according to their website, is the “entire DevOps lifecycle in one application.” In a nutshell, GitLab is an application that handles the Agile approach in an all-in-one package when it comes to software development and implementation, and it comes with many capabilities; one capability in particular comes in the form of webhooks. Webhooks are “user-defined HTTP callbacks,” which basically means a certain event will trigger if the corresponding criteria is met, such as if new code is pushed [to a repository]. This is useful for automating and meeting the demand of constant software integration and updates (the Agile approach), but the NPM package gitlabhook, version 0.0.17, has a critical flaw. 

Vulnerability

Based on a bug report posted to hackerone.com, a simple python script can be generated to execute arbitrary code on the remote server that waits for instructions from GitLab. This is caused by the fact that the gitlabhook.js file has an “ExecFile” function at line 146 that allows any user input to be executed without prior sanitization. This vulnerability does not require elevated privileges or any authentication checkpoints, and can be exploited from any OS that has python3 installed (based on the python script created by the bug reporter).

Impact

Being allowed to execute arbitrary remote code without any roadblocks, by using a python script as shallow as 4 lines long, is a critical problem. As of this writing, the NVD has ranked CVE-2019-5485 at a 10.0 critical base score, and the reason being is this vulnerability has the potential to cause significant damage both directly and indirectly, depending on the attacker’s goals and motives. 

Mitigation

The hackerone.com bug report was initially submitted on 31 August 2019, but was not verified by the community and dispersed through the vulnerability report lifecycle until 13 September 2019. As of 27 September 2019, no official updates have been reported on the gitlabhook GitHub page, nor through the NVD CVE page. 

With that said, since this webhook is part of an open source project, the source code itself can be modified to fit individual needs. Three common commands passed to webhooks are git push, pull, and fetch. A few mitigating steps that can be taken include sanitizing command input via:

1. Limiting the amount of arguments passed
2. Ensuring the first argument passed, if preceded by a dash (-) includes two dashes and a legitimate command option (–force, –all,  –amend, etc.)
3. Escaping special characters to prevent code execution
   1. Setting certain characters like ‘, ‘’, |, ||, &&, ., \, etc., to be interpreted as benign text, rather than command inputs
4. Creating a whitelist of regular expressions that only allow commands to be executed if the format matches a valid whitelist command format. 
   1.  While very effective, can be complicated to implement for everyday users

References

“About npm.” Retrieved from: docs.npmjs.com, 16 September 2019.

“CVE-2019-5485 Detail.” Retrieved from: nvd.nist.gov, 16 September 2019.

“gitlabhook OS Command Injection.” Retrieved from: hackerone.com, 16 September 2019.

“How to Test for Command Injection.” Retrieved from: blog.securityinnovation.com, 17 September 2019.

“rolfn/node-gitlab-hook.” Retrieved from: github.com, 17 September 2019.

“sanitize user input for child_process.exec command.” Retrieved from: stackoverflow.com, 19 September 2019.

“The entire DevOps lifecycle in one application.” Retrieved from: gitlab.com, 16 September 2019.

“Webhooks.” Retrieved from: docs.gitlab.com, 18 September 2019.