diff options
| author | Santos Gallegos <stsewd@proton.me> | 2022-12-20 20:26:37 -0500 |
|---|---|---|
| committer | Santos Gallegos <stsewd@proton.me> | 2022-12-20 22:04:06 -0500 |
| commit | fbf9c7e72218e44bc29eb4907d5c00118370376b (patch) | |
| tree | 9c288fd59db765c151ea94f776cab6ec6af46f12 /git/refs/reference.py | |
| parent | 17ff2630af26b37f82ac1158ee3495c4390da699 (diff) | |
| download | gitpython-fbf9c7e72218e44bc29eb4907d5c00118370376b.tar.gz | |
Fix command injection
Add `--` in some commands that receive user input
and if interpreted as options could lead to remote
code execution (RCE).
There may be more commands that could benefit from `--`
so the input is never interpreted as an option,
but most of those aren't dangerous.
Fixed commands:
- push
- pull
- fetch
- clone/clone_from and friends
- archive (not sure if this one can be exploited, but it doesn't hurt
adding `--` :))
For anyone using GitPython and exposing any of the GitPython methods to users,
make sure to always validate the input (like if starts with `--`).
And for anyone allowing users to pass arbitrary options, be aware
that some options may lead fo RCE, like `--exc`, `--upload-pack`,
`--receive-pack`, `--config` (https://github.com/gitpython-developers/GitPython/pull/1516).
Ref https://github.com/gitpython-developers/GitPython/issues/1517
Diffstat (limited to 'git/refs/reference.py')
0 files changed, 0 insertions, 0 deletions