Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/gify/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-gify

⚙️ Description *

node-gify was vulnerable against RCE and arbitrary command injection cause some user supplied inputs were taken and formatted inside the exec() function without prior validation.
After update Arbitary Code Execution is avoided by using execFile instead of exec

💻 Technical Description *

Arbitary Code Execution is avoided by using execFile() instead of exec() and passing arguments via parameters instead of composing string

🐛 Proof of Concept (PoC) *

Install the package and run the below code:

// poc.js
var gify = require("./");
gify("out.mp4\"`'; touch HACKED; #", 'out.gif\';touch HACKED; #', e => { console.log(e)});

It will create a file named HACKED in the working directory.

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally