Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Force positional arguments to always be arguments to avoid options injection #1517

Closed
stsewd opened this issue Dec 19, 2022 · 1 comment
Closed

Security: Force positional arguments to always be arguments to avoid options injection #1517

stsewd opened this issue Dec 19, 2022 · 1 comment
Labels
acknowledged critical help wanted

Comments

@stsewd
Copy link
Contributor

stsewd commented Dec 19, 2022

This is somehow related to #1515, but as a more broad problem. Gitpython exposes some methods to interact with the git program, but gitpython fails to validate/escape the arguments (user-input), resulting in the user being able to pass options to the final git command, this doesn't seem bad, but git exposes some options (--upload-pack and --receive-pack) that can lead to remote code execution.

One example is the clone() method, it receives a path

GitPython/git/repo/base.py

Line 1219 in 17ff263

path: PathLike,

But an option can be passed as well, leading to RCE, a full working example is:

import git
r = git.Repo.init('/tmp/test', bare=True)
r.clone("--upload-pack=touch /tmp/pwn")

A usual solution is to add -- before any user-input arguments, forcing them to always be taken as positional arguments and not options, but there are commands like git checkout that make special use of --, git mentions the --end-of-options option https://git-scm.com/docs/gitcli/ as an alias for -- for cases like that, but that option isn't available for git checkout 🙃

Other options could be:

  • To have a list of commands (like checkout) to not add --
  • Check all command calls and add -- manually to each one, for example

    GitPython/git/repo/base.py

    Lines 1170 to 1180 in 17ff263

    proc = git.clone(
    multi,
    Git.polish_url(str(url)),
    clone_path,
    with_extended_output=True,
    as_process=True,
    v=True,
    universal_newlines=True,
    **add_progress(kwargs, git, progress),
    )
    if progress:

    that would be git.clone(multi, '--', ...)

ref #1515 (comment).
@stsewd stsewd mentioned this issue Dec 19, 2022
Closed
@Byron
Copy link
Member

Byron commented Dec 20, 2022

Thanks a lot for creating an issue and researching solutions as I think this will help a lot when implementing a mitigation.

Something I'd like to highlight is that not every git command that is invoked by the GitPython API has arguments that ultimately invoke other programs or unconditionally write files that are out of repository. Thus it should be possible to focus on those that do, like git clone, and maybe others.

stsewd added a commit to stsewd/GitPython that referenced this issue Dec 21, 2022
@stsewd
Fix command injection
3488761 
Add `--` in some commands that receive user input
and if interpreted as options could lead to remote
code execution (RCE).

There may be more commands that could benefit from `--`
so the input is never interpreted as an option,
but most of those aren't dangerous.

For anyone using GitPython and exposing any of the GitPython methods to users,
make sure to always validate the input (like if starts with `--`).
And for anyone allowing users to pass arbitrary options, be aware
that some options may lead fo RCE, like `--exc`, `--upload-pack`,
`--receive-pack`, `--config` (gitpython-developers#1516).

Ref gitpython-developers#1517
stsewd added a commit to stsewd/GitPython that referenced this issue Dec 21, 2022
@stsewd
Fix command injection
fbf9c7e 
Add `--` in some commands that receive user input
and if interpreted as options could lead to remote
code execution (RCE).

There may be more commands that could benefit from `--`
so the input is never interpreted as an option,
but most of those aren't dangerous.

Fixed commands:

- push
- pull
- fetch
- clone/clone_from and friends
- archive (not sure if this one can be exploited, but it doesn't hurt
  adding `--` :))

For anyone using GitPython and exposing any of the GitPython methods to users,
make sure to always validate the input (like if starts with `--`).
And for anyone allowing users to pass arbitrary options, be aware
that some options may lead fo RCE, like `--exc`, `--upload-pack`,
`--receive-pack`, `--config` (gitpython-developers#1516).

Ref gitpython-developers#1517
@stsewd stsewd mentioned this issue Dec 21, 2022
Merged
@stsewd stsewd closed this as completed Dec 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acknowledged critical help wanted
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Byron @stsewd