Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create the unsafe plugin to configure how simple-git treats known potentially unsafe operations. #861

Merged
merged 1 commit into from
Nov 12, 2022
Merged

Create the unsafe plugin to configure how simple-git treats known potentially unsafe operations. #861

merged 1 commit into from
Nov 12, 2022
+159 −1

Conversation

steveukx
Copy link
Owner

Snyk recognised a potential vulnerability caused by passing unsanitised user data into commands that operate on a git remote (eg clone, fetch, pull and push etc) whereby an inline configuration argument could be used to enable the ext:: protocol to switch out the remote for an arbitrary named binary run on the host machine.

While this highlights the need to sanitise user input in the application that consumes it before passing it through to any library, simple-git will now limit the use of these options unless the developer explicitly opts in to them with a new allowUnsafeProtocolOverride option.

@steveukx
Create the unsafe plugin to configure how simple-git treats known…
6b3c631 
… potentially unsafe operations.

Snyk recognised a potential vulnerability caused by passing unsanitised user data into commands that operate on a git remote (eg `clone`, `fetch`, `pull` and `push` etc) whereby an inline configuration argument could be used to enable the `ext::` protocol to switch out the remote for an arbitrary named binary run on the host machine.

While this highlights the need to sanitise user input in the application that consumes it before passing it through to any library, `simple-git` will now limit the use of these options unless the developer explicitly opts in to them with a new `allowUnsafeProtocolOverride` option.
@changeset-bot
Copy link

changeset-bot bot commented Nov 12, 2022

⚠️ No Changeset found

Latest commit: 6b3c631

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@steveukx steveukx merged commit 47030d5 into main Nov 12, 2022
@delete-merged-branch delete-merged-branch bot deleted the security/protocols branch November 12, 2022 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@steveukx