Re: git-hub: missing sanitization of data received from GitHub

[Jakub Wilk <jwilk () jwilk net>]

* Jakub Wilk <jwilk () jwilk net>, 2016-09-29, 17:40:
> git-hub <https://github.com/sociomantic-tsunami/git-hub> is a Git 
> command-line interface to GitHub. When you ask it to clone a 
> repository, it will call:
>
>  git clone <repourl> <reponame>
>
> where both <repourl> and <reponame> come from GitHub API, without any 
> sanitization. Operators of the GitHub server (or a MitM attacker[*]) 
> could exploit it for directory traversal or, more excitingly, for 
> arbitrary code execution, either via option injection, e.g.:
>
>  git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl
>
> or more directly with git-remote-ext, e.g.:
>
>  git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo

git-spindle is another GitHub CLI, which can be exploited in the same way:
https://github.com/seveas/git-spindle/issues/154

(git-spindle used to be called "git-hub", but this is different codebase that 
sociomantic's git-hub.)

--
Jakub Wilk