Fix command injection by stsewd · Pull Request #1518 · gitpython-developers/GitPython
added 2 commits
December 20, 2022 22:04
Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. Fixed commands: - push - pull - fetch - clone/clone_from and friends - archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :)) For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (gitpython-developers#1516). Ref gitpython-developers#1517
stsewd
deleted the
fix-cmd-injection
branch
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request
Jan 20, 20233.1.30 - Make injections of command-invocations harder or impossible for clone and others. See gitpython-developers/GitPython#1518 for details. Note that this might constitute a breaking change for some users, and if so please let us know and we add an opt-out to this. - Prohibit insecure options and protocols by default, which is potentially a breaking change, but a necessary fix for gitpython-developers/GitPython#1515. Please take a look at the PR for more information and how to bypass these protections in case they cause breakage: gitpython-developers/GitPython#1521.
halstead pushed a commit to openembedded/openembedded-core that referenced this pull request
Jan 26, 2023
stefan-hartmann-lgs pushed a commit to hexagon-geo-surv/poky that referenced this pull request
Jan 27, 2023
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/poky that referenced this pull request
Jan 31, 2023
Source: poky MR: 124663 Type: Integration Disposition: Merged from poky ChangeID: 0721360 Description: All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
This was referenced
Feb 25, 2023EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to (when the possible security vulnerability this test checks for is *absent*) is not valid. Although this suggest the bug may only be in the test and that the code under test may be working on Windows, but the test does not establish that, for which it would need to test with a payload clearly capable of creating a file unexpected_path points to when run on its own. I am unsure if that is the case, given that the "touch" command is used. This doesn't appear to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. (The "\" characters in the path seem to be treated as escape characters rather than literally. Also, "touch" is not a native Windows command, and the "touch" command in Git for Windows maps disallowed occurrences of ":" in filenames to a separate code point in the Private Use Area of the Basic Multilingual Plane.) This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters