You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While it is true that Bandit has a dependency on GitPython, it does not use it to do any cloning, nor take a URL argument. The code in particular that uses GitPython is found in the baseline.py module.
Describe the bug
There is a Remote Code Execution vulnerability in all versions of gitpython.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439
Reproduction steps
1. Install bandit version 1.7.4 2. It requires gitpython >=1.0.1 (but installs 3.1.29) 3. gitpython 3.1.29 has the reported vulnerability
Expected behavior
Proper input validation for git URLs needs to exist so that it is NOT possible to inject a maliciously crafted remote URL into the clone command.
Bandit version
1.7.4 (Default)
Python version
3.11 (Default)
Additional context
No response
The text was updated successfully, but these errors were encountered: