Security Fix for Command Injection - huntr.dev

[huntr-helper]

@Asjidkalam (https://huntr.dev/users/Asjidkalam) has fixed a potential Command Injection vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/macfromip/1/README.md

User Comments:

📊 Metadata *

Command Injection

Bounty URL: https://www.huntr.dev/bounties/1-npm-macfromip/

⚙️ Description *

Command Injection in macfromip

💻 Technical Description *

The package is vulnerable to command injection since it uses child_process.exec function and uses the user input without sanitization. The mitigation is to use execFile instead and supply the args as an array.

🐛 Proof of Concept (PoC) *

// poc.js
var a=require("macfromip");
a.getMacInLinux("& touch HACKED",function(){})

npm i macfromip # Install affected module
node poc.js #  Run the PoC

🔥 Proof of Fix (PoF) *

After applying the fix, no more code is executed, hence the issue is mitigated.

👍 User Acceptance Testing (UAT)

No breaking changes introduced. :)

[Copilot]

Pull request overview

This PR fixes a critical command injection vulnerability in the getMacInLinux function by replacing child_process.exec() with child_process.execFile() and passing arguments as an array instead of string concatenation.

Key Changes:

• Migrated from cp.exec("ping -c 1 " + ipAddress, ...) to cp.execFile("ping", ["-c", "1", ipAddress], ...) to prevent command injection
• User-provided IP addresses are now passed as separate arguments rather than concatenated into the shell command

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.