Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alias command injection #306

Merged
merged 4 commits into from
Mar 12, 2022
Merged

Alias command injection #306

merged 4 commits into from
Mar 12, 2022

Conversation

tony
Copy link
Member

@tony tony commented Mar 12, 2022
edited
Loading 

create_repo(
   url="--config=alias.clone=!touch ./HELLO", vcs="hg", repo_dir="./"
)

Credit: Alessio Della Libera alessio.dellalibera@snyk.io via Snyk

@codecov
Copy link

codecov bot commented Mar 12, 2022
edited
Loading

Codecov Report

Merging #306 (66640ae) into master (96d2ada) will increase coverage by 0.13%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #306      +/-   ##
==========================================
+ Coverage   86.41%   86.55%   +0.13%     
==========================================
  Files          15       15              
  Lines         810      818       +8     
==========================================
+ Hits          700      708       +8     
  Misses        110      110
Impacted Files Coverage Δ
libvcs/hg.py 100.00% <100.00%> (ø)
tests/test_hg.py 97.56% <100.00%> (+0.59%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 96d2ada...66640ae. Read the comment docs.

@tony
tests(hg): Check for URL command injection vuln
c8a2ca6
@tony
fix(hg): Command injection vulnerability in URLs via alias
3f4e93e 
> create_repo(
>    url="--config=alias.clone=!touch ./HELLO", vcs="hg", repo_dir="./"
> )

Credit: Alessio Della Libera <alessio.dellalibera@snyk.io> via Snyk
@tony
docs(CHANGES): Note vulnerability fix
66640ae
@tony tony merged commit 7179656 into master Mar 12, 2022
tony added a commit to vcs-python/vcspull that referenced this pull request Mar 12, 2022
@tony
build(deps): Bump libvcs 0.11.0 -> 0.11.1 for hg URL vuln
e1b7712 
See also:
- https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES#libvcs-0111-2022-03-12
- vcs-python/libvcs#306
@tony tony deleted the hg-vuln branch March 15, 2022 03:05
@tony tony restored the hg-vuln branch April 2, 2022 11:12
@tony tony deleted the hg-vuln branch April 2, 2022 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tony