[Packagist] Arugment Injection in Mecurial Driver leading to RCE

We discussed this vulnerability during Episode 159 on 17 October 2022

An argument injection leading to remote code execution on Packagist server. The vulnerability comes from how workers will try to update the package’s main documentation page by reading the package’s readme file use hg’s cat command.

When it is a .txt file it will use the source control system driver’s getFileContent method. For Mercurial repositories then leads to calling hg cat -r <branch> <file> where <branch> and <file> are attacker controlled values. Without any validation on the branch name one could inject a --config argument that will override the default behavior of hg cat and make it execute arbitrary shell commands.

--config=alias.cat=!hg cat -r :payload.sh|sh;.txt

They also found that the GitDriver had a similar issue, where the branch and file values were reflected into a get show <branch>:<file> however the mandatory suffix of :<file> prevented exploitation.