Quote URLs in Repo.clone_from()#1516
Conversation
Sorry, something went wrong.
Byron
left a comment
Byron
left a comment
There was a problem hiding this comment.
Thanks a lot, much appreciated. I don't know why quoting the URL prevents it from being effective when the ext protocol is allowed. There seem to be no internal quotes in the 'ext:…' url that would be quoted then.
In any case, I think it would be useful to have a test for the unsafe_protocols feature. My intuition here is also to document it to allow folks to bypass the quoting in case they relied on using the ext protocol.
Regrading CI, I have a feeling that the python action doesn't support older versions anymore - please feel free to remove them from the test suite so there is a chance for the tests to succeed.
Sorry, something went wrong.
|
Quoting removes URL unsafe characters, such as spaces, so we end up with: which will not execute. Successfully, anyway -- and should also leave most of the usual suspects https:// and git:// alone, but I will confirm when I fix up GitHub Actions. |
Sorry, something went wrong.
|
I may have to parse it and then quote the host portion, depending on if it's overzealous, but I have it in hand. I will also add a test for |
Sorry, something went wrong.
s-t-e-v-e-n-k
force-pushed
the
quote-clone-urls-by-default
branch
2 times, most recently
from
a3bc689 to
0cd4e4d
Compare
December 15, 2022 04:59
|
@Byron Sadly, I've had to change this around to not quote, but this is ready for another look. |
Sorry, something went wrong.
|
In #1515 (comment) there is this case that should be fixed too from git import Repo
r = Repo.init('', bare=True)
r.clone('foo', '/tmp/foo', multi_options=['--upload-pack="touch /tmp/pwn"'])Here the URL can be anything. We could check/ban the unsafe options (--upload-pack/-c protocol.*) instead of (or in addition of) checking the protocol. EDIT: This also works r.clone('--upload-pack=touch /tmp/pwn') |
Sorry, something went wrong.
|
This is sort of the problem -- git is designed to run arbitrary commands. However, I'll see if I can refactor the checks out to a function. |
Sorry, something went wrong.
Byron
left a comment
Byron
left a comment
There was a problem hiding this comment.
Thanks a lot for your help with CI!
I have a few comments and questions that I hope we can sort out quickly so we can get this PR merged and cut a new release right after that.
Thank you for your continued help.
Sorry, something went wrong.
s-t-e-v-e-n-k
force-pushed
the
quote-clone-urls-by-default
branch
from
0cd4e4d to
e526cbb
Compare
December 20, 2022 06:14
Since the URL is passed directly to git clone, and the remote-ext helper will happily execute shell commands, so by default disallow URLs that contain a "::" unless a new unsafe_protocols kwarg is passed. (CVE-2022-24439) Fixes gitpython-developers#1515
With a large number of the versions of Python specified not being supported with GitHub Actions, trim it down to the major versions, and add in 3.11 for good measure.
s-t-e-v-e-n-k
force-pushed
the
quote-clone-urls-by-default
branch
from
e526cbb to
ce529b9
Compare
December 20, 2022 06:42
Byron
left a comment
Byron
left a comment
There was a problem hiding this comment.
Thanks a lot for taking it to the next level, I love the additional tests for what constitutes unsafe options.
I think the CI failure is legit as the sanity check is done in a way that assumes a string even though PosixPath isn't particularly string like.
Something I am not so sure about is if this PR should try to address #1517, and I'd clearly prefer that to happen in another PR. Probably @stsewd could provide valuable feedback here as well.
Thanks for taking another look.
Sorry, something went wrong.
Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (gitpython-developers#1516). Ref gitpython-developers#1517
Add `--` in some commands that receive user input and if interpreted as options could lead to remote code execution (RCE). There may be more commands that could benefit from `--` so the input is never interpreted as an option, but most of those aren't dangerous. Fixed commands: - push - pull - fetch - clone/clone_from and friends - archive (not sure if this one can be exploited, but it doesn't hurt adding `--` :)) For anyone using GitPython and exposing any of the GitPython methods to users, make sure to always validate the input (like if starts with `--`). And for anyone allowing users to pass arbitrary options, be aware that some options may lead fo RCE, like `--exc`, `--upload-pack`, `--receive-pack`, `--config` (gitpython-developers#1516). Ref gitpython-developers#1517
Taken from gitpython-developers#1516
stsewd
left a comment
stsewd
left a comment
There was a problem hiding this comment.
Taking a look at this, if gitpython is going to disallow passing the --upload-pack/--receive-pack and friends as options, the check should probably be in all other commands where those options are allowed (and should also check for their short form -u).
And reading from https://git-scm.com/docs/gitremote-helpers
A URL of the form
<transport>::<address>explicitly instructs Git to invokegit remote-<transport>with<address>as the second argument. If such a URL is encountered directly on the command line, the first argument is<address>, and if it is encountered in a configured remote, the first argument is the name of that remote.
Maybe is safer to disallow foo::bar like URLs,
Sorry, something went wrong.
|
Thanks for your help! Due to the time-sensitive nature, #1521 was merged first and includes the changes from this PR. |
Sorry, something went wrong.
Since the URL is passed directly to git clone, and the remote-ext helper will happily execute shell commands, so by default qoute URLs unless a (undocumented, on purpose) kwarg is passed. (CVE-2022-24439)
Fixes #1515