Don't split git references on unicode separators #9827
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pradyunsg
added
type: security
Previously, maliciously formatted tags could be used to hijack a commit-based pin. Using the fact that the split here allowed for all of unicode's whitespace characters as separators -- which git allows as a part of a tag name -- it is possible to force a different revision to be installed; if an attacker gains access to the repository. This change stops splitting the string on unicode characters, by forcing the splits to happen on newlines and ASCII spaces.
pradyunsg
force-pushed
the
fix-git-improper-tag-handling
branch
from
d85a28c
to
0e4938d
Compare
|
I've intentionally not added a test demonstrating the attack -- I'd like to do that after we have a release with the fix. |
pradyunsg
commented
Apr 24, 2021
FasterSpeeding
added a commit
to hikari-py/hikari
that referenced
this pull request
May 1, 2021
This avoids it erroring due to pypa/pip#9827
2 tasks
FasterSpeeding
added a commit
to hikari-py/hikari
that referenced
this pull request
May 1, 2021
This avoids it erroring due to pypa/pip#9827
trbs
added a commit
to django-extensions/django-extensions
that referenced
this pull request
May 2, 2021
1 task
5 tasks
|
Does this security vulnerability deserve a CVE number? Is there a plan to request one? |
1 task
|
FYI - this issue was assigned CVE-2021-3572 by Red Hat, Inc. |
Would it be possible to add a test now? |
|
I've tried to describe my effort in the linked issue. |
aalexanderr
added a commit
to aalexanderr/fetchcode
that referenced
this pull request
Aug 23, 2021
WARNING: fetchcode's vcs will not work on this commit. This is result of separating pip's code from changes made in scope of this repository. This should make it easier to track potentially replicated issues from pip when taking their vcs pkg. It also made cleaning up easier, due to some maintenance activities done in pip: - dropping Python 2 & 3.5 support pypa/pip#9189 - modernized code after above - partially done, tracked in: pypa/pip#8802 - added py3.9 support - updated vendored libraries (e.g. fixing CVE-2021-28363) multiple PRs pip._internal.vcs (and related code) changes: - Fetch resources that are missing locally: pypa/pip#8817 - Improve SVN version parser (Windows) pypa/pip#8665 - Always close stderr after subprocess completion: pypa/pip#9156 - Remove vcs export feature: pypa/pip#9713 - Remove support for git+ssh@ scheme in favour of git+ssh:// pypa/pip#9436 - Security fix in git tags parsing (CVE-2021-3572): pypa/pip#9827 - Reimplement Git version parsing: pypa/pip#10117 In next commits, most of pip's internals will be removed from fetchcode, leaving only vcs module with supporting code (like utils functions, tests (which will be added & submitted with this change)) This will allow for changes such as ability to add return codes (probably via futures) from long running downloads and other features. Switching to having own vcs module might also be a good call due to pip._internal.vcs close integration with pip's cli in vcs module (some pip code has been commented out in commit mentioned below) While generally copy-pasting code without history is bad idea, this commit follows precedence set in this repo by: 8046215 with exception that all changes to pip's code will be submitted as separate commits. It has been agreed with @pombredanne & @TG1999 that history from pip will be rebased on fetchcode by @pombredanne (thanks!). It will be done only for the files that are of concern for fetchcode to limit noise in git history. I'm leaving this commit without SoB intentionally, as this is not my work, but that of the many pip's authors: https://github.com/pypa/pip/blob/21.2.4/AUTHORS.txt License of pip: MIT (https://pypi.org/project/pip/)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, maliciously formatted tags could be used to hijack a
commit-based pin. Using the fact that the split here allowed for
all of unicode's whitespace characters as separators -- which git allows
as a part of a tag name -- it is possible to force a different revision
to be installed; if an attacker gains access to the repository.
This change stops splitting the string on unicode characters, by forcing
the splits to happen on newlines and ASCII spaces.