Update dependency GitPython to v3.1.37 [SECURITY] #144
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.1.14
->==3.1.37
GitHub Vulnerability Alerts
CVE-2022-24439
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
CVE-2023-40267
GitPython before 3.1.32 does not block insecure non-multi options in
clone
andclone_from
, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.CVE-2023-41040
Summary
In order to resolve some git references, GitPython reads files from the
.git
directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the.git
directory. This allows an attacker to make GitPython read any file from the system.Details
This vulnerability is present in
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
That code joins the base directory with a user given string without checking if the final path is located outside the base directory.
I was able to exploit it from three places, but there may be more code paths that lead to it:
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L605
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L620
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/index/base.py#L1353
PoC
Running GitPython within any repo should work, here is an example with the GitPython repo.
Impact
I wasn't able to show the contents of the files (that's why "blind" local file inclusion), depending on how GitPython is being used, this can be used by an attacker for something inoffensive as checking if a file exits, or cause a DoS by making GitPython read a big/infinite file (like
/dev/random
on Linux systems).Possible solutions
A solution would be to check that the final path isn't located outside the
repodir
path (maybe even after resolving symlinks). Maybe there could be other checks in place to make sure that the reference names are valid.Note
This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.
Release Notes
gitpython-developers/GitPython (GitPython)
v3.1.37
: - a proper fix CVE-2023-41040Compare Source
What's Changed
@NoEffect
annotations by @EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1677Full Changelog: gitpython-developers/GitPython@3.1.36...3.1.37
v3.1.36
Compare Source
v3.1.35
: - a fix for CVE-2023-41040Compare Source
What's Changed
New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.34...3.1.35
v3.1.34
: - fix resource leakingCompare Source
What's Changed
New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.33...3.1.34
v3.1.33
: - with security fixCompare Source
What's Changed
New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.32...3.1.33
v3.1.32
: - with another security updateCompare Source
What's Changed
New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.31...3.1.32
v3.1.31
Compare Source
What's Changed
command -v
instead of third-partywhich
program by @mgorny in https://github.com/gitpython-developers/GitPython/pull/1525New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.30...3.1.31
v3.1.30
: - with important security fixesCompare Source
See https://github.com/gitpython-developers/GitPython/issues/1515 for details.
What's Changed
New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.29...3.1.30
v3.1.29
Compare Source
v3.1.28
Compare Source
v3.1.27
Compare Source
v3.1.26
Compare Source
v3.1.25
Compare Source
v3.1.24
Compare Source
v3.1.23
Compare Source
v3.1.22
Compare Source
v3.1.20
Compare Source
What's Changed
Full Changelog: gitpython-developers/GitPython@3.1.19...3.1.20
v3.1.19
Compare Source
v3.1.18
Compare Source
v3.1.17
Compare Source
v3.1.16
Compare Source
v3.1.15
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.