Update dependency GitPython to v3.1.37 [SECURITY] #144

renovate · 2023-10-26T19:15:15Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
GitPython	`==3.1.14` -> `==3.1.37`

GitHub Vulnerability Alerts

CVE-2022-24439

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

CVE-2023-40267

GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.

CVE-2023-41040

Summary

In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system.

Details

This vulnerability is present in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175

That code joins the base directory with a user given string without checking if the final path is located outside the base directory.

I was able to exploit it from three places, but there may be more code paths that lead to it:

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L605

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L620

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/index/base.py#L1353

PoC

Running GitPython within any repo should work, here is an example with the GitPython repo.

import git

r = git.Repo(".")

# This will make GitPython read the README.md file from the root of the repo
r.commit("../README.md")
r.tree("../README.md")
r.index.diff("../README.md")

# Reading /etc/random

# WARNING: this will probably halt your system, run with caution
# r.commit("../../../../../../../../../dev/random")

Impact

I wasn't able to show the contents of the files (that's why "blind" local file inclusion), depending on how GitPython is being used, this can be used by an attacker for something inoffensive as checking if a file exits, or cause a DoS by making GitPython read a big/infinite file (like /dev/random on Linux systems).

Possible solutions

A solution would be to check that the final path isn't located outside the repodir path (maybe even after resolving symlinks). Maybe there could be other checks in place to make sure that the reference names are valid.

Note

This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.

Release Notes

gitpython-developers/GitPython (GitPython)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Update dependency GitPython to v3.1.37 [SECURITY]

0dc1c29

plars approved these changes Oct 26, 2023

View reviewed changes

plars merged commit 631d44d into main Oct 26, 2023
2 checks passed

plars deleted the renovate/pypi-GitPython-vulnerability branch October 26, 2023 19:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency GitPython to v3.1.37 [SECURITY] #144

Update dependency GitPython to v3.1.37 [SECURITY] #144

renovate bot commented Oct 26, 2023

Update dependency GitPython to v3.1.37 [SECURITY] #144

Update dependency GitPython to v3.1.37 [SECURITY] #144

Conversation

renovate bot commented Oct 26, 2023

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Possible solutions

Release Notes

v3.1.37: - a proper fix CVE-2023-41040

What's Changed

v3.1.35: - a fix for CVE-2023-41040

What's Changed

New Contributors

v3.1.34: - fix resource leaking

What's Changed

New Contributors

v3.1.33: - with security fix

What's Changed

New Contributors

v3.1.32: - with another security update

What's Changed

New Contributors

What's Changed

New Contributors

v3.1.30: - with important security fixes

What's Changed

New Contributors

What's Changed

Configuration

`v3.1.37`: - a proper fix CVE-2023-41040

`v3.1.35`: - a fix for CVE-2023-41040

`v3.1.34`: - fix resource leaking

`v3.1.33`: - with security fix

`v3.1.32`: - with another security update

`v3.1.30`: - with important security fixes