Fix command injection #1518
Merged
Fix command injection #1518
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. Fixed commands: - push - pull - fetch - clone/clone_from and friends - archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :)) For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (gitpython-developers#1516). Ref gitpython-developers#1517
Taken from gitpython-developers#1516
Byron
requested changes
Dec 21, 2022
There was a problem hiding this comment.
Thanks a million, much appreciated. Can we have at least one test along the lines of Repo.clone(…touch pawn…) that will be fixed by this PR? That way it's anchored in something that provably existed, and tests provide great context on why a change was made.
When merged, I will adjust the changelog right away to include a note about this and link back here, as it might be a breaking change for some despite this being part of a patch release.
|
I have added 2 tests (for clone and clone_from), wasn't able to write a test to exploit the other ones easily. |
|
Thanks a lot! The changelog was updated and I hope there can be a release soon once #1516 was merged. If you have some bandwidth, I'd really appreciate if you could take over that PR as I think it's very close to being merged but is idling unnecessarily. |
|
I'll give it a try tomorrow 👍 |
openstack-mirroring
pushed a commit
to openstack/openstack
that referenced
this pull request
Jan 10, 2023
* Update requirements from branch 'master'
to 2aaf64dd91c63aa55f4cbe8c037a6f545e91b302
- Merge "Bump GitPython to 3.1.30"
- Bump GitPython to 3.1.30
3.1.30 includes 2 sets of fixes for CVE-2022-24439:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439
gitpython-developers/GitPython#1515
PRs:
gitpython-developers/GitPython#1518
gitpython-developers/GitPython#1521
Signed-off-by: Lon Hohberger <lhh@redhat.com>
Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
openstack-mirroring
pushed a commit
to openstack/requirements
that referenced
this pull request
Jan 10, 2023
3.1.30 includes 2 sets of fixes for CVE-2022-24439: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439 gitpython-developers/GitPython#1515 PRs: gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 Signed-off-by: Lon Hohberger <lhh@redhat.com> Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jan 20, 2023
3.1.30 - Make injections of command-invocations harder or impossible for clone and others. See gitpython-developers/GitPython#1518 for details. Note that this might constitute a breaking change for some users, and if so please let us know and we add an opt-out to this. - Prohibit insecure options and protocols by default, which is potentially a breaking change, but a necessary fix for gitpython-developers/GitPython#1515. Please take a look at the PR for more information and how to bypass these protections in case they cause breakage: gitpython-developers/GitPython#1521.
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this pull request
Jan 26, 2023
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
stefan-hartmann-lgs
pushed a commit
to hexagon-geo-surv/poky
that referenced
this pull request
Jan 27, 2023
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this pull request
Jan 31, 2023
Source: poky MR: 124663 Type: Integration Disposition: Merged from poky ChangeID: 0721360 Description: All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
This was referenced Feb 25, 2023
And you were right Byron, seeing how the commit broke code for Stable Diffusion web UI as referenced above |
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to (when the possible security vulnerability this test checks for is *absent*) is not valid. Although this suggest the bug may only be in the test and that the code under test may be working on Windows, but the test does not establish that, for which it would need to test with a payload clearly capable of creating a file unexpected_path points to when run on its own. I am unsure if that is the case, given that the "touch" command is used. This doesn't appear to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. (The "\" characters in the path seem to be treated as escape characters rather than literally. Also, "touch" is not a native Windows command, and the "touch" command in Git for Windows maps disallowed occurrences of ":" in filenames to a separate code point in the Private Use Area of the Basic Multilingual Plane.) This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add
--in some commands that receive user inputand if interpreted as options could lead to remote code execution (RCE).
There may be more commands that could benefit from
--so the input is never interpreted as an option,but most of those aren't dangerous.
Fixed commands:
--:))For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with
--). And for anyone allowing users to pass arbitrary options, be aware that some options may lead to RCE, like--exc,--upload-pack,--receive-pack,--config(#1516).Ref #1517