Command Injection #548
Description
Description
An attacker can execute arbitrary commands on the user's machine.
Version: 0.43.0
Technical Impact
An attacker can create a project containing a maliciously crafted file name. If a user opens the project in Xcode and interacts with the file using the Copilot extension, the command will be executed on the system.
Code Review
The filepath parameter is used directly while opening the reference file in the code, leading to command injection.
Steps to reproduce
- Create a file with the following payload
main.swift";cat>xxd -r -p <<< 2f746d702f68657861616161;".swift
- The file will be automatically attached to the Xcode chat editor.
- Send any message to interact with Copilot.
- Click on the referenced file. Command mentioned in the filename will be executed.
I reported this to GitHub Security in version 0.31.0 but did not receive a response. I also reported the issue to the developer of the intitni repository, and they fixed it in the below commit
intitni/CopilotForXcode@9340275
Now I see that the vulnerable code is also used for agent mode. Since the issue is already public, I am sharing the details.
