From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001 From: Narpat Mali Date: Fri, 6 Jan 2023 14:13:10 +0000 Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518 Fix command injection Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. Fixed commands: - push - pull - fetch - clone/clone_from and friends - archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :)) For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (#1516). Ref #1517 CVE: CVE-2022-24439 Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518] Signed-off-by: Narpat Mali --- git/remote.py | 6 +++--- git/repo/base.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/git/remote.py b/git/remote.py index 56f3c5b..59681bc 100644 --- a/git/remote.py +++ b/git/remote.py @@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj): else: args = [refspec] - proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False, + proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, universal_newlines=True, v=verbose, **kwargs) res = self._get_fetch_info_from_stderr(proc, progress, kill_after_timeout=kill_after_timeout) @@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj): # No argument refspec, then ensure the repo's config has a fetch refspec. self._assert_refspec() kwargs = add_progress(kwargs, self.repo.git, progress) - proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True, + proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, universal_newlines=True, v=True, **kwargs) res = self._get_fetch_info_from_stderr(proc, progress, kill_after_timeout=kill_after_timeout) @@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj): If the operation fails completely, the length of the returned IterableList will be 0.""" kwargs = add_progress(kwargs, self.repo.git, progress) - proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True, + proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, universal_newlines=True, kill_after_timeout=kill_after_timeout, **kwargs) diff --git a/git/repo/base.py b/git/repo/base.py index 7713c91..f14f929 100644 --- a/git/repo/base.py +++ b/git/repo/base.py @@ -1072,7 +1072,7 @@ class Repo(object): multi = None if multi_options: multi = shlex.split(' '.join(multi_options)) - proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, + proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) if progress: handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(), @@ -1173,7 +1173,7 @@ class Repo(object): if not isinstance(path, (tuple, list)): path = [path] # end assure paths is list - self.git.archive(treeish, *path, **kwargs) + self.git.archive("--", treeish, *path, **kwargs) return self def has_separate_working_tree(self) -> bool: -- 2.34.1