Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix command injection #1518

Merged
merged 3 commits into from
Dec 22, 2022
Merged

Conversation

stsewd
Copy link
Contributor

@stsewd stsewd commented Dec 21, 2022

Add -- in some commands that receive user input
and if interpreted as options could lead to remote code execution (RCE).

There may be more commands that could benefit from -- so the input is never interpreted as an option,
but most of those aren't dangerous.

Fixed commands:

  • push
  • pull
  • fetch
  • clone/clone_from and friends
  • archive (not sure if this one can be exploited, but it doesn't hurt adding -- :))

For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with --). And for anyone allowing users to pass arbitrary options, be aware that some options may lead to RCE, like --exc, --upload-pack, --receive-pack, --config (#1516).

Ref #1517

Add `--` in some commands that receive user input
and if interpreted as options could lead to remote
code execution (RCE).

There may be more commands that could benefit from `--`
so the input is never interpreted as an option,
but most of those aren't dangerous.

Fixed commands:

- push
- pull
- fetch
- clone/clone_from and friends
- archive (not sure if this one can be exploited, but it doesn't hurt
  adding `--` :))

For anyone using GitPython and exposing any of the GitPython methods to users,
make sure to always validate the input (like if starts with `--`).
And for anyone allowing users to pass arbitrary options, be aware
that some options may lead fo RCE, like `--exc`, `--upload-pack`,
`--receive-pack`, `--config` (gitpython-developers#1516).

Ref gitpython-developers#1517
@Byron Byron added this to the v3.1.30 - Bugfixes milestone Dec 21, 2022
Copy link
Member

@Byron Byron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a million, much appreciated. Can we have at least one test along the lines of Repo.clone(…touch pawn…) that will be fixed by this PR? That way it's anchored in something that provably existed, and tests provide great context on why a change was made.

When merged, I will adjust the changelog right away to include a note about this and link back here, as it might be a breaking change for some despite this being part of a patch release.

@stsewd
Copy link
Contributor Author

stsewd commented Dec 22, 2022

I have added 2 tests (for clone and clone_from), wasn't able to write a test to exploit the other ones easily.

@Byron Byron merged commit 7918fcc into gitpython-developers:main Dec 22, 2022
@Byron
Copy link
Member

Byron commented Dec 22, 2022

Thanks a lot! The changelog was updated and I hope there can be a release soon once #1516 was merged. If you have some bandwidth, I'd really appreciate if you could take over that PR as I think it's very close to being merged but is idling unnecessarily.

@stsewd stsewd deleted the fix-cmd-injection branch December 22, 2022 16:16
@stsewd
Copy link
Contributor Author

stsewd commented Dec 23, 2022

I'll give it a try tomorrow 👍

openstack-mirroring pushed a commit to openstack/openstack that referenced this pull request Jan 10, 2023
* Update requirements from branch 'master'
  to 2aaf64dd91c63aa55f4cbe8c037a6f545e91b302
  - Merge "Bump GitPython to 3.1.30"
  - Bump GitPython to 3.1.30
    
    3.1.30 includes 2 sets of fixes for CVE-2022-24439:
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439
      gitpython-developers/GitPython#1515
    
    PRs:
      gitpython-developers/GitPython#1518
      gitpython-developers/GitPython#1521
    
    Signed-off-by: Lon Hohberger <lhh@redhat.com>
    Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
openstack-mirroring pushed a commit to openstack/requirements that referenced this pull request Jan 10, 2023
3.1.30 includes 2 sets of fixes for CVE-2022-24439:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439
  gitpython-developers/GitPython#1515

PRs:
  gitpython-developers/GitPython#1518
  gitpython-developers/GitPython#1521

Signed-off-by: Lon Hohberger <lhh@redhat.com>
Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jan 20, 2023
3.1.30
- Make injections of command-invocations harder or impossible for clone and others.
  See gitpython-developers/GitPython#1518 for details.
  Note that this might constitute a breaking change for some users, and if so please
  let us know and we add an opt-out to this.
- Prohibit insecure options and protocols by default, which is potentially a breaking change,
  but a necessary fix for gitpython-developers/GitPython#1515.
  Please take a look at the PR for more information and how to bypass these protections
  in case they cause breakage: gitpython-developers/GitPython#1521.
halstead pushed a commit to openembedded/openembedded-core that referenced this pull request Jan 26, 2023
All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

CVE: CVE-2022-24439

Upstream-Status: Backport

Reference:
gitpython-developers/GitPython#1529
gitpython-developers/GitPython#1518
gitpython-developers/GitPython#1521

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
stefan-hartmann-lgs pushed a commit to hexagon-geo-surv/poky that referenced this pull request Jan 27, 2023
All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

CVE: CVE-2022-24439

Upstream-Status: Backport

Reference:
gitpython-developers/GitPython#1529
gitpython-developers/GitPython#1518
gitpython-developers/GitPython#1521

(From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde)

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/poky that referenced this pull request Jan 31, 2023
Source: poky
MR: 124663
Type: Integration
Disposition: Merged from poky
ChangeID: 0721360
Description:

All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

CVE: CVE-2022-24439

Upstream-Status: Backport

Reference:
gitpython-developers/GitPython#1529
gitpython-developers/GitPython#1518
gitpython-developers/GitPython#1521

(From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde)

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
@Testertime
Copy link

Testertime commented Feb 28, 2023

as it might be a breaking change for some despite this being part of a patch release.

And you were right Byron, seeing how the commit broke code for Stable Diffusion web UI as referenced above

EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request Nov 16, 2023
This other GitCommandError on Windows is not related to
IndexFile.from_tree whose 8 related failing tests were marked
xfail in the preceding commit.

Also, test_clone_command_injection should not be confused with
test_clone_from_command_injection, which passes on all platforms.

The problem here appears to be that, on Windows, the path of the
directory GitPython is intended to clone to (when the possible
security vulnerability this test checks for is *absent*) is not
valid. Although this suggest the bug may only be in the test and
that the code under test may be working on Windows, but the test
does not establish that, for which it would need to test with a
payload clearly capable of creating a file unexpected_path points
to when run on its own. I am unsure if that is the case, given
that the "touch" command is used.

This doesn't appear to be reported as a bug, but some general
context about the implementation can be examined in gitpython-developers#1518 where it
was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request Nov 16, 2023
This other GitCommandError on Windows is not related to
IndexFile.from_tree whose 8 related failing tests were marked xfail
in the preceding commit.

Also, test_clone_command_injection should not be confused with
test_clone_from_command_injection, which passes on all platforms.

The problem here appears to be that, on Windows, the path of the
directory GitPython is intended to clone to -- when the possible
security vulnerability this test checks for is absent -- is not
valid. This suggests the bug may only be in the test and that the
code under test may be working on Windows. But the test does not
establish that, for which it would need to test with a payload
clearly capable of creating the file unexpected_path refers to when
run on its own. (The "\" characters in the path seem to be treated
as escape characters rather than literally. Also, "touch" is not a
native Windows command, and the "touch" command in Git for Windows
maps disallowed occurrences of ":" in filenames to a separate code
point in the Private Use Area of the Basic Multilingual Plane.)

This doesn't currently seem to be reported as a bug, but some
general context about the implementation can be examined in gitpython-developers#1518
where it was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request Nov 16, 2023
This other GitCommandError on Windows is not related to
IndexFile.from_tree whose 8 related failing tests were marked xfail
in the preceding commit.

Also, test_clone_command_injection should not be confused with
test_clone_from_command_injection, which passes on all platforms.

The problem here appears to be that, on Windows, the path of the
directory GitPython is intended to clone to -- when the possible
security vulnerability this test checks for is absent -- is not
valid. This suggests the bug may only be in the test and that the
code under test may be working on Windows. But the test does not
establish that, for which it would need to test with a payload
clearly capable of creating the file unexpected_path refers to when
run on its own.

This doesn't currently seem to be reported as a bug, but some
general context about the implementation can be examined in gitpython-developers#1518
where it was introduced, and gitpython-developers#1531 where it was modified.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants