thebeet / idevicekit Goto Github PK
View Code? Open in Web Editor NEWNodeJs wrapper for libimobiledevice
License: Other
NodeJs wrapper for libimobiledevice
License: Other
This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)
Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command
that will be executed without any checks. There is a possible bypass of the _checkSerial
function leading to malicious serial
variable content injection. Then, the serial
variable is concatenated inside a command
executed through the exec
function, leading to RCE
. The issue arises here:
https://github.com/thebeet/idevicekit/blob/master/index.js#L11
https://github.com/thebeet/idevicekit/blob/master/index.js#L39
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded ๐ฐ? Go to https://huntr.dev/
Project is missing a software license.
Please add a license file
Hi there! Thanks for this amazing library, Node bindings make working with C libraries much simpler for me. I am able to list my connected device, however, attempting to use methods such as getBasicInformation
, getBattery
etc yields an error:
// brew install libimobiledevice
// brew install ideviceinstaller
const idevicekit = require('idevicekit');
void async function() {
for (const serial of await idevicekit.listDevices()) {
console.log(serial);
console.log(await idevicekit.getBattery(serial));
}
}()
This prints the serial correctly, but then this error occurs:
[xmldom error] element parse error: Error: invalid tagName:http:
@#[line:44,col:11]
(node:63374) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): TypeError: Cannot read property 'nodeName' of null
I am not sure how to access the raw XML string to see why it trips up the XML parser. If you guide me on how to obtain it, I will be happy to attach it to this issue for further debugging.
let _checkSerial = (serial) => { return /^[a-z0-9]{40,40}$/.test(serial); };
This works only till A11 SoC.
let _checkSerial = (serial) => { return /^[a-z0-9]{40,40}$/ || /^[A-Z0-9]{8}-[A-Z0-9]{16}$/i.test(serial); };
- this should fix the issue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.