1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001
From: Narpat Mali <narpat.mali@windriver.com>
Date: Fri, 6 Jan 2023 14:13:10 +0000
Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518
Fix command injection
Add `--` in some commands that receive user input
and if interpreted as options could lead to remote
code execution (RCE).
There may be more commands that could benefit from `--`
so the input is never interpreted as an option,
but most of those aren't dangerous.
Fixed commands:
- push
- pull
- fetch
- clone/clone_from and friends
- archive (not sure if this one can be exploited, but it doesn't hurt
adding `--` :))
For anyone using GitPython and exposing any of the GitPython methods to users,
make sure to always validate the input (like if starts with `--`).
And for anyone allowing users to pass arbitrary options, be aware
that some options may lead fo RCE, like `--exc`, `--upload-pack`,
`--receive-pack`, `--config` (#1516).
Ref #1517
CVE: CVE-2022-24439
Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
git/remote.py | 6 +++---
git/repo/base.py | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/git/remote.py b/git/remote.py
index 56f3c5b..59681bc 100644
--- a/git/remote.py
+++ b/git/remote.py
@@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj):
else:
args = [refspec]
- proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False,
+ proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False,
universal_newlines=True, v=verbose, **kwargs)
res = self._get_fetch_info_from_stderr(proc, progress,
kill_after_timeout=kill_after_timeout)
@@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj):
# No argument refspec, then ensure the repo's config has a fetch refspec.
self._assert_refspec()
kwargs = add_progress(kwargs, self.repo.git, progress)
- proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True,
+ proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True,
universal_newlines=True, v=True, **kwargs)
res = self._get_fetch_info_from_stderr(proc, progress,
kill_after_timeout=kill_after_timeout)
@@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj):
If the operation fails completely, the length of the returned IterableList will
be 0."""
kwargs = add_progress(kwargs, self.repo.git, progress)
- proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True,
+ proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True,
universal_newlines=True,
kill_after_timeout=kill_after_timeout,
**kwargs)
diff --git a/git/repo/base.py b/git/repo/base.py
index 7713c91..f14f929 100644
--- a/git/repo/base.py
+++ b/git/repo/base.py
@@ -1072,7 +1072,7 @@ class Repo(object):
multi = None
if multi_options:
multi = shlex.split(' '.join(multi_options))
- proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True,
+ proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True,
v=True, universal_newlines=True, **add_progress(kwargs, git, progress))
if progress:
handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(),
@@ -1173,7 +1173,7 @@ class Repo(object):
if not isinstance(path, (tuple, list)):
path = [path]
# end assure paths is list
- self.git.archive(treeish, *path, **kwargs)
+ self.git.archive("--", treeish, *path, **kwargs)
return self
def has_separate_working_tree(self) -> bool:
--
2.34.1
|
