Block insecure options and protocols by default #1521
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since the URL is passed directly to git clone, and the remote-ext helper will happily execute shell commands, so by default disallow URLs that contain a "::" unless a new unsafe_protocols kwarg is passed. (CVE-2022-24439) Fixes gitpython-developers#1515
Byron
requested changes
Dec 24, 2022
|
I have added/updated the tests. |
Byron
approved these changes
Dec 28, 2022
There was a problem hiding this comment.
Thanks so much, this is tremendous work and great value for GitPython and all of its users. If you would like more recognition for this, please feel free to add an entry to changes.rst and include your name if you want. The same goes for the authors file.
That said, and if you feel you have a little more time and patience, I generally thought that asserting that these pwn files exist or don't exists where it's easily possible would help readability a lot while adding some assurance that it's actually, effectively working like it should. After all, having an exception raised is a side-effect of us ideally stopping the git command to be executed, but we don't really know unless we fail to observe its side-effect that we are trying to prevent.
If you don't have time, that's alright as well, just let me know and I will merge as is and get a new release ready.
Thanks so much!
Thank you!
I'll try to update the PR later today or tomorrow |
|
🙏🎉 |
openstack-mirroring
pushed a commit
to openstack/openstack
that referenced
this pull request
Jan 10, 2023
* Update requirements from branch 'master'
to 2aaf64dd91c63aa55f4cbe8c037a6f545e91b302
- Merge "Bump GitPython to 3.1.30"
- Bump GitPython to 3.1.30
3.1.30 includes 2 sets of fixes for CVE-2022-24439:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439
gitpython-developers/GitPython#1515
PRs:
gitpython-developers/GitPython#1518
gitpython-developers/GitPython#1521
Signed-off-by: Lon Hohberger <[email protected]>
Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
openstack-mirroring
pushed a commit
to openstack/requirements
that referenced
this pull request
Jan 10, 2023
3.1.30 includes 2 sets of fixes for CVE-2022-24439: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439 gitpython-developers/GitPython#1515 PRs: gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 Signed-off-by: Lon Hohberger <[email protected]> Change-Id: I0def2d9801f0b20fcc9b613165a29dbced1fd2d7
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jan 20, 2023
3.1.30 - Make injections of command-invocations harder or impossible for clone and others. See gitpython-developers/GitPython#1518 for details. Note that this might constitute a breaking change for some users, and if so please let us know and we add an opt-out to this. - Prohibit insecure options and protocols by default, which is potentially a breaking change, but a necessary fix for gitpython-developers/GitPython#1515. Please take a look at the PR for more information and how to bypass these protections in case they cause breakage: gitpython-developers/GitPython#1521.
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this pull request
Jan 26, 2023
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 Signed-off-by: Narpat Mali <[email protected]>
stefan-hartmann-lgs
pushed a commit
to hexagon-geo-surv/poky
that referenced
this pull request
Jan 27, 2023
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this pull request
Jan 31, 2023
Source: poky MR: 124663 Type: Integration Disposition: Merged from poky ChangeID: 0721360 Description: All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: gitpython-developers/GitPython#1529 gitpython-developers/GitPython#1518 gitpython-developers/GitPython#1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <[email protected]> Signed-off-by: Richard Purdie <[email protected]> Signed-off-by: Jeremy A. Puhlman <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This got a little longer than expected 😮💨, there were other places where git accepted
ext::URLs, likegit pull/push/fetch <URL>https://git-scm.com/docs/git-remote-ext#_examplesAnd there are other config options that can be harmful, so I think we should just forbid the
--configoption, if anyone is relying on that option, they can opt-out withallow_unsafe_options=True.--*-packand--execare the options that I found that could lead to RCE, but anyone allowing users to pass arbitrary options should be aware that it may be more of these, don't know.This is still missing adding/updating tests.
This is on top of #1516
Fixes #1515