Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork938
Fix command injection#1518
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Merged
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Add `--` in some commands that receive user inputand if interpreted as options could lead to remotecode execution (RCE).There may be more commands that could benefit from `--`so the input is never interpreted as an option,but most of those aren't dangerous.Fixed commands:- push- pull- fetch- clone/clone_from and friends- archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :))For anyone using GitPython and exposing any of the GitPython methods to users,make sure to always validate the input (like if starts with `--`).And for anyone allowing users to pass arbitrary options, be awarethat some options may lead fo RCE, like `--exc`, `--upload-pack`,`--receive-pack`, `--config` (gitpython-developers#1516).Refgitpython-developers#1517
Taken fromgitpython-developers#1516
Byron requested changesDec 21, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks a million, much appreciated. Can we have at least one test along the lines ofRepo.clone(…touch pawn…) that will be fixed by this PR? That way it's anchored in something that provably existed, and tests provide great context on why a change was made.
When merged, I will adjust the changelog right away to include a note about this and link back here, as it might be a breaking change for some despite this being part of a patch release.
I have added 2 tests (for clone and clone_from), wasn't able to write a test to exploit the other ones easily. |
Thanks a lot! The changelog was updated and I hope there can be a release soon once#1516 was merged. If you have some bandwidth, I'd really appreciate if you could take over that PR as I think it's very close to being merged but is idling unnecessarily. |
I'll give it a try tomorrow 👍 |
openstack-mirroring pushed a commit to openstack/openstack that referenced this pull requestJan 10, 2023
* Update requirements from branch 'master' to 2aaf64dd91c63aa55f4cbe8c037a6f545e91b302 - Merge "Bump GitPython to 3.1.30" - Bump GitPython to 3.1.30 3.1.30 includes 2 sets of fixes forCVE-2022-24439:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439gitpython-developers/GitPython#1515 PRs:gitpython-developers/GitPython#1518gitpython-developers/GitPython#1521 Signed-off-by: Lon Hohberger <lhh@redhat.com> Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
openstack-mirroring pushed a commit to openstack/requirements that referenced this pull requestJan 10, 2023
3.1.30 includes 2 sets of fixes forCVE-2022-24439:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439gitpython-developers/GitPython#1515PRs:gitpython-developers/GitPython#1518gitpython-developers/GitPython#1521Signed-off-by: Lon Hohberger <lhh@redhat.com>Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull requestJan 20, 2023
3.1.30- Make injections of command-invocations harder or impossible for clone and others. Seegitpython-developers/GitPython#1518 for details. Note that this might constitute a breaking change for some users, and if so please let us know and we add an opt-out to this.- Prohibit insecure options and protocols by default, which is potentially a breaking change, but a necessary fix forgitpython-developers/GitPython#1515. Please take a look at the PR for more information and how to bypass these protections in case they cause breakage:gitpython-developers/GitPython#1521.
halstead pushed a commit to openembedded/openembedded-core that referenced this pull requestJan 26, 2023
All versions of package gitpython are vulnerable to Remote Code Execution(RCE) due to improper user input validation, which makes it possible toinject a maliciously crafted remote URL into the clone command. Exploitingthis vulnerability is possible because the library makes external calls togit without sufficient sanitization of input arguments.CVE:CVE-2022-24439Upstream-Status: BackportReference:gitpython-developers/GitPython#1529gitpython-developers/GitPython#1518gitpython-developers/GitPython#1521Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
stefan-hartmann-lgs pushed a commit to hexagon-geo-surv/poky that referenced this pull requestJan 27, 2023
All versions of package gitpython are vulnerable to Remote Code Execution(RCE) due to improper user input validation, which makes it possible toinject a maliciously crafted remote URL into the clone command. Exploitingthis vulnerability is possible because the library makes external calls togit without sufficient sanitization of input arguments.CVE:CVE-2022-24439Upstream-Status: BackportReference:gitpython-developers/GitPython#1529gitpython-developers/GitPython#1518gitpython-developers/GitPython#1521(From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde)Signed-off-by: Narpat Mali <narpat.mali@windriver.com>Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/poky that referenced this pull requestJan 31, 2023
Source: pokyMR: 124663Type: IntegrationDisposition: Merged from pokyChangeID:0721360Description:All versions of package gitpython are vulnerable to Remote Code Execution(RCE) due to improper user input validation, which makes it possible toinject a maliciously crafted remote URL into the clone command. Exploitingthis vulnerability is possible because the library makes external calls togit without sufficient sanitization of input arguments.CVE:CVE-2022-24439Upstream-Status: BackportReference:gitpython-developers/GitPython#1529gitpython-developers/GitPython#1518gitpython-developers/GitPython#1521(From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde)Signed-off-by: Narpat Mali <narpat.mali@windriver.com>Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
This was referencedFeb 25, 2023
Testertime commentedFeb 28, 2023 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
And you were right Byron, seeing how the commit broke code for Stable Diffusion web UI as referenced above |
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 16, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were markedxfail in the preceding commit.Also, test_clone_command_injection should not be confused withtest_clone_from_command_injection, which passes on all platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to (when the possiblesecurity vulnerability this test checks for is *absent*) is notvalid. Although this suggest the bug may only be in the test andthat the code under test may be working on Windows, but the testdoes not establish that, for which it would need to test with apayload clearly capable of creating a file unexpected_path pointsto when run on its own. I am unsure if that is the case, giventhat the "touch" command is used.This doesn't appear to be reported as a bug, but some generalcontext about the implementation can be examined ingitpython-developers#1518 where itwas introduced, andgitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 16, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were marked xfailin the preceding commit.Also, test_clone_command_injection should not be confused withtest_clone_from_command_injection, which passes on all platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to -- when the possiblesecurity vulnerability this test checks for is absent -- is notvalid. This suggests the bug may only be in the test and that thecode under test may be working on Windows. But the test does notestablish that, for which it would need to test with a payloadclearly capable of creating the file unexpected_path refers to whenrun on its own. (The "\" characters in the path seem to be treatedas escape characters rather than literally. Also, "touch" is not anative Windows command, and the "touch" command in Git for Windowsmaps disallowed occurrences of ":" in filenames to a separate codepoint in the Private Use Area of the Basic Multilingual Plane.)This doesn't currently seem to be reported as a bug, but somegeneral context about the implementation can be examined ingitpython-developers#1518where it was introduced, andgitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 16, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were marked xfailin the preceding commit.Also, test_clone_command_injection should not be confused withtest_clone_from_command_injection, which passes on all platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to -- when the possiblesecurity vulnerability this test checks for is absent -- is notvalid. This suggests the bug may only be in the test and that thecode under test may be working on Windows. But the test does notestablish that, for which it would need to test with a payloadclearly capable of creating the file unexpected_path refers to whenrun on its own.This doesn't currently seem to be reported as a bug, but somegeneral context about the implementation can be examined ingitpython-developers#1518where it was introduced, andgitpython-developers#1531 where it was modified.
1 task
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
--in some commands that receive user inputand if interpreted as options could lead to remote code execution (RCE).
There may be more commands that could benefit from
--so the input is never interpreted as an option,but most of those aren't dangerous.
Fixed commands:
--:))For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with
--). And for anyone allowing users to pass arbitrary options, be aware that some options may lead to RCE, like--exc,--upload-pack,--receive-pack,--config(#1516).Ref#1517