Commitfbf9c7e

committed

Fix command injection

Add `--` in some commands that receive user inputand if interpreted as options could lead to remotecode execution (RCE).There may be more commands that could benefit from `--`so the input is never interpreted as an option,but most of those aren't dangerous.Fixed commands:- push- pull- fetch- clone/clone_from and friends- archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :))For anyone using GitPython and exposing any of the GitPython methods to users,make sure to always validate the input (like if starts with `--`).And for anyone allowing users to pass arbitrary options, be awarethat some options may lead fo RCE, like `--exc`, `--upload-pack`,`--receive-pack`, `--config` (#1516).Ref#1517

1 parent17ff263 commitfbf9c7eCopy full SHA for fbf9c7e

File tree

2 files changed

-3

lines changed

git
- remote.py
- repo
  - base.py

2 files changed

-3

lines changed

`‎git/remote.py`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -964,7 +964,7 @@ def fetch(`
`964`	`964`	`args= [refspec]`
`965`	`965`
`966`	`966`	`proc=self.repo.git.fetch(`
`967`		`-self,args,as_process=True,with_stdout=False,universal_newlines=True,v=verbose,*kwargs`
	`967`	`+"--",self,args,as_process=True,with_stdout=False,universal_newlines=True,v=verbose,*kwargs`
`968`	`968`	`)`
`969`	`969`	`res=self._get_fetch_info_from_stderr(proc,progress,kill_after_timeout=kill_after_timeout)`
`970`	`970`	`ifhasattr(self.repo.odb,"update_cache"):`
`@@ -991,7 +991,7 @@ def pull(`
`991`	`991`	`self._assert_refspec()`
`992`	`992`	`kwargs=add_progress(kwargs,self.repo.git,progress)`
`993`	`993`	`proc=self.repo.git.pull(`
`994`		`-self,refspec,with_stdout=False,as_process=True,universal_newlines=True,v=True,**kwargs`
	`994`	`+"--",self,refspec,with_stdout=False,as_process=True,universal_newlines=True,v=True,**kwargs`
`995`	`995`	`)`
`996`	`996`	`res=self._get_fetch_info_from_stderr(proc,progress,kill_after_timeout=kill_after_timeout)`
`997`	`997`	`ifhasattr(self.repo.odb,"update_cache"):`
`@@ -1034,6 +1034,7 @@ def push(`
`1034`	`1034`	`be 0."""`
`1035`	`1035`	`kwargs=add_progress(kwargs,self.repo.git,progress)`
`1036`	`1036`	`proc=self.repo.git.push(`
	`1037`	`+"--",`
`1037`	`1038`	`self,`
`1038`	`1039`	`refspec,`
`1039`	`1040`	`porcelain=True,`

`‎git/repo/base.py`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1169,6 +1169,7 @@ def _clone(`
`1169`	`1169`	`multi=shlex.split(" ".join(multi_options))`
`1170`	`1170`	`proc=git.clone(`
`1171`	`1171`	`multi,`
	`1172`	`+"--",`
`1172`	`1173`	`Git.polish_url(str(url)),`
`1173`	`1174`	`clone_path,`
`1174`	`1175`	`with_extended_output=True,`
`@@ -1305,7 +1306,7 @@ def archive(`
`1305`	`1306`	`ifnotisinstance(path, (tuple,list)):`
`1306`	`1307`	`path= [path]`
`1307`	`1308`	`# end assure paths is list`
`1308`		`-self.git.archive(treeish,path,*kwargs)`
	`1309`	`+self.git.archive("--",treeish,path,*kwargs)`
`1309`	`1310`	`returnself`
`1310`	`1311`
`1311`	`1312`	`defhas_separate_working_tree(self)->bool:`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitfbf9c7e

File tree

2 files changed

2 files changed

`‎git/remote.py`

`‎git/repo/base.py`

0 commit comments