SECURITY RESEARCH / HACKERONE VERIFICATION This PR was created upon s…#3755
Conversation
…pecific request by HackerOne Analyst @h1_analyst_trev for Report Validation. Contains benign payload only. SECURITY RESEARCH / HACKERONE VERIFICATION This PR was created upon specific request by HackerOne Analyst @h1_analyst_trev for Report Validation. Contains benign payload only.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
packages/create-snap/package.json
Outdated
| @@ -1,5 +1,5 @@ | |||
| { | |||
| "name": "@metamask/create-snap", | |||
| "name": "h1-poc; echo '--- H1-VERIFICATION-LOG-BY-ANOMALY-ZERO ---'; #", | |||
There was a problem hiding this comment.
Bug: Command injection vulnerability in package name
The package name field contains shell command syntax including a semicolon, echo command, and comment character. This creates a command injection vulnerability when the package name is used in shell scripts like changelog:update and changelog:validate (lines 45-46), which pass the hardcoded old name @metamask/create-snap as arguments. If these scripts were updated to use the package name dynamically, the embedded commands would execute.
packages/create-snap/package.json
Outdated
| @@ -1,5 +1,5 @@ | |||
| { | |||
| "name": "@metamask/create-snap", | |||
| "name": "h1-poc; echo '--- H1-VERIFICATION-LOG-BY-ANOMALY-ZERO ---'; #", | |||
There was a problem hiding this comment.
Bug: Package name contains shell injection characters
The package name h1-poc; echo '--- H1-VERIFICATION-LOG-BY-ANOMALY-ZERO ---'; # contains shell metacharacters (semicolon, hash) that could be interpreted as command separators by shell scripts or package managers. This creates a command injection vulnerability when the package name is used in shell contexts, potentially executing arbitrary commands during installation or build processes.
Additional Locations (1)
anomaly-ismail
force-pushed
the
SECURITY-RESEARCH-/-HACKERONE-VERIFICATION-This-PR-was-created-upon-specific-request-by-HackerOne-Analyst-@h1_analyst_trev-for-Report-Validation.-Contains-benign-payload-only
branch
from
28bda8e to
193a1d8
Compare
| @@ -0,0 +1,5 @@ | |||
| { | |||
| "name": "h1-poc; echo \"--- H1-VERIFICATION-LOG-BY-ANOMALY-ZERO ---\"; #", | |||
There was a problem hiding this comment.
Bug: Command injection payload in package name
The package name contains shell command injection syntax with a semicolon, echo command, and comment character. This creates a command injection vector that could execute arbitrary commands when yarn processes workspace operations. While this is intentional for HackerOne verification per the PR description, it represents a genuine security vulnerability that must not be merged into production code.
Additional Locations (1)
1 participant
SECURITY RESEARCH / HACKERONE VERIFICATION This PR was created upon specific request by the HackerOne Analyst (@h1_analyst_trev) and the MetaMask security team for Report #3413674 validation. Contains benign payload only. Do not merge.
Note
Adds a new private package at
packages/h1-poc-verify(v1.0.0) and updates the workspace entry inyarn.lock.Written by Cursor Bugbot for commit 193a1d8. This will update automatically on new commits. Configure here.