Hi,
We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method ping fails to sanitize the parameter and let it flow into a sensitive command execution API.
Here is the proof of concept.
const ping = require( 'system-ping' );
ping( '|| touch cmd' )// a file named cmd will be created
Please consider fix it. thanks!
Hi,
We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method
pingfails to sanitize the parameter and let it flow into a sensitive command execution API.Here is the proof of concept.
Please consider fix it. thanks!