-
-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix command injection #1518
Fix command injection #1518
Conversation
Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. Fixed commands: - push - pull - fetch - clone/clone_from and friends - archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :)) For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (gitpython-developers#1516). Ref gitpython-developers#1517
Taken from gitpython-developers#1516
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a million, much appreciated. Can we have at least one test along the lines of Repo.clone(…touch pawn…)
that will be fixed by this PR? That way it's anchored in something that provably existed, and tests provide great context on why a change was made.
When merged, I will adjust the changelog right away to include a note about this and link back here, as it might be a breaking change for some despite this being part of a patch release.
I have added 2 tests (for clone and clone_from), wasn't able to write a test to exploit the other ones easily. |
Thanks a lot! The changelog was updated and I hope there can be a release soon once #1516 was merged. If you have some bandwidth, I'd really appreciate if you could take over that PR as I think it's very close to being merged but is idling unnecessarily. |
I'll give it a try tomorrow 👍 |
* Update requirements from branch 'master' to 2aaf64dd91c63aa55f4cbe8c037a6f545e91b302 - Merge "Bump GitPython to 3.1.30" - Bump GitPython to 3.1.30 3.1.30 includes 2 sets of fixes for CVE-2022-24439: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439 gitpython-developers/GitPython#1515 PRs: gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 Signed-off-by: Lon Hohberger <lhh@redhat.com> Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
3.1.30 includes 2 sets of fixes for CVE-2022-24439: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439 gitpython-developers/GitPython#1515 PRs: gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 Signed-off-by: Lon Hohberger <lhh@redhat.com> Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
3.1.30 - Make injections of command-invocations harder or impossible for clone and others. See gitpython-developers/GitPython#1518 for details. Note that this might constitute a breaking change for some users, and if so please let us know and we add an opt-out to this. - Prohibit insecure options and protocols by default, which is potentially a breaking change, but a necessary fix for gitpython-developers/GitPython#1515. Please take a look at the PR for more information and how to bypass these protections in case they cause breakage: gitpython-developers/GitPython#1521.
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: poky MR: 124663 Type: Integration Disposition: Merged from poky ChangeID: 0721360 Description: All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
And you were right Byron, seeing how the commit broke code for Stable Diffusion web UI as referenced above |
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to (when the possible security vulnerability this test checks for is *absent*) is not valid. Although this suggest the bug may only be in the test and that the code under test may be working on Windows, but the test does not establish that, for which it would need to test with a payload clearly capable of creating a file unexpected_path points to when run on its own. I am unsure if that is the case, given that the "touch" command is used. This doesn't appear to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. (The "\" characters in the path seem to be treated as escape characters rather than literally. Also, "touch" is not a native Windows command, and the "touch" command in Git for Windows maps disallowed occurrences of ":" in filenames to a separate code point in the Private Use Area of the Basic Multilingual Plane.) This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
Add
--
in some commands that receive user inputand if interpreted as options could lead to remote code execution (RCE).
There may be more commands that could benefit from
--
so the input is never interpreted as an option,but most of those aren't dangerous.
Fixed commands:
--
:))For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with
--
). And for anyone allowing users to pass arbitrary options, be aware that some options may lead to RCE, like--exc
,--upload-pack
,--receive-pack
,--config
(#1516).Ref #1517