oss-sec mailing list archives
git-hub: missing sanitization of data received from GitHub
From: Jakub Wilk <jwilk () jwilk net>
Date: Thu, 29 Sep 2016 17:40:04 +0200
git-hub <https://github.com/sociomantic-tsunami/git-hub> is a Git command-line interface to GitHub. When you ask it to clone a repository, it will call:
git clone <repourl> <reponame>where both <repourl> and <reponame> come from GitHub API, without any sanitization. Operators of the GitHub server (or a MitM attacker[*]) could exploit it for directory traversal or, more excitingly, for arbitrary code execution, either via option injection, e.g.:
git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl
or more directly with git-remote-ext, e.g.:
git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo
Upstream bug report:
https://github.com/sociomantic-tsunami/git-hub/issues/197
[*] git-hub is implemented in Python, which didn't verify HTTPS certificates
before 2.7.9; and git-hub doesn't enable verification on its own either.
-- Jakub Wilk
Current thread:
- git-hub: missing sanitization of data received from GitHub Jakub Wilk (Sep 29)
- Re: git-hub: missing sanitization of data received from GitHub cve-assign (Sep 29)