-
-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Force positional arguments to always be arguments to avoid options injection #1517
Labels
Comments
Thanks a lot for creating an issue and researching solutions as I think this will help a lot when implementing a mitigation. Something I'd like to highlight is that not every |
stsewd
added a commit
to stsewd/GitPython
that referenced
this issue
Dec 21, 2022
Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (gitpython-developers#1516). Ref gitpython-developers#1517
stsewd
added a commit
to stsewd/GitPython
that referenced
this issue
Dec 21, 2022
Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. Fixed commands: - push - pull - fetch - clone/clone_from and friends - archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :)) For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (gitpython-developers#1516). Ref gitpython-developers#1517
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is somehow related to #1515, but as a more broad problem. Gitpython exposes some methods to interact with the git program, but gitpython fails to validate/escape the arguments (user-input), resulting in the user being able to pass options to the final git command, this doesn't seem bad, but git exposes some options (
--upload-pack
and--receive-pack
) that can lead to remote code execution.One example is the
clone()
method, it receives a pathGitPython/git/repo/base.py
Line 1219 in 17ff263
But an option can be passed as well, leading to RCE, a full working example is:
A usual solution is to add
--
before any user-input arguments, forcing them to always be taken as positional arguments and not options, but there are commands like git checkout that make special use of--
, git mentions the--end-of-options
option https://git-scm.com/docs/gitcli/ as an alias for--
for cases like that, but that option isn't available forgit checkout
🙃Other options could be:
--
--
manually to each one, for exampleGitPython/git/repo/base.py
Lines 1170 to 1180 in 17ff263
that would be
git.clone(multi, '--', ...)
ref #1515 (comment).
The text was updated successfully, but these errors were encountered: