Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency gitpython to v3.1.41 [SECURITY] - autoclosed #34

Closed
wants to merge 1 commit into from
Closed

Update dependency gitpython to v3.1.41 [SECURITY] - autoclosed #34

wants to merge 1 commit into from

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Oct 23, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
gitpython ==3.1.32 -> ==3.1.41 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-40590

Summary

When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH.

Details

This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.

The execution of the git command happens in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996

And there are other commands executed that should probably be aware of this problem.

PoC

On a Windows system, create a git.exe or git executable in any directory, and import or run GitPython from that directory

python -c "import git"

The git executable from the current directory will be run.

Impact

An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.

Possible solutions

  • Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE (default git path installation).
  • Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems.
  • Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path.
  • Resolve the executable manually by only looking into the PATH environment variable (suggested by @​Byron)

Note

This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.

CVE-2023-41040

Summary

In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system.

Details

This vulnerability is present in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175

That code joins the base directory with a user given string without checking if the final path is located outside the base directory.

I was able to exploit it from three places, but there may be more code paths that lead to it:

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L605

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L620

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/index/base.py#L1353

PoC

Running GitPython within any repo should work, here is an example with the GitPython repo.

import git

r = git.Repo(".")

# This will make GitPython read the README.md file from the root of the repo
r.commit("../README.md")
r.tree("../README.md")
r.index.diff("../README.md")

# Reading /etc/random

# WARNING: this will probably halt your system, run with caution
# r.commit("../../../../../../../../../dev/random")

Impact

I wasn't able to show the contents of the files (that's why "blind" local file inclusion), depending on how GitPython is being used, this can be used by an attacker for something inoffensive as checking if a file exits, or cause a DoS by making GitPython read a big/infinite file (like /dev/random on Linux systems).

Possible solutions

A solution would be to check that the final path isn't located outside the repodir path (maybe even after resolving symlinks). Maybe there could be other checks in place to make sure that the reference names are valid.

Note

This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.

CVE-2024-22190

Summary

This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on Windows, a malicious git.exe or bash.exe may be run from an untrusted repository.

Details

Although GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.

When a shell is used

GitPython can be told to run git commands through a shell rather than as direct subprocesses, by passing shell=True to any method that accepts it, or by both setting Git.USE_SHELL = True and not passing shell=False. Then the Windows cmd.exe shell process performs the path search, and GitPython does not prevent that shell from finding and running git in the current directory.

When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call. Although the cmd.exe shell will honor this environment variable when present, GitPython does not currently pass it into the shell subprocess's environment.

Furthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location.

This also applies if Git.execute is called directly with shell=True (or after Git.USE_SHELL = True) to run any command.

When hook scripts are run

On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory.

This allows the author of an untrusted fork or branch to cause a malicious bash.exe to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious bash.exe and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious bash.exe.

Note that, while bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

PoC

On Windows, create a git.exe file in a repository. Then create a Repo object, and call any method through it (directly or indirectly) that supports the shell keyword argument with shell=True:

mkdir testrepo
git init testrepo
cp ... testrepo git.exe # Replace "..." with any executable of choice.
python -c "import git; print(git.Repo('testrepo').git.version(shell=True))"

The git.exe executable in the repository directory will be run.

Or use no Repo object, but do it from the location with the git.exe:

cd testrepo
python -c "import git; print(git.Git().version(shell=True))"

The git.exe executable in the current directory will be run.

For the scenario with hooks, install a hook in a repository, create a bash.exe file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:

mkdir testrepo
cd testrepo
git init
mv .git/hooks/pre-commit.sample .git/hooks/pre-commit
cp ... bash.exe # Replace "..." with any executable of choice.
echo "Some text" >file.txt
git add file.txt
python -c "import git; git.Repo().index.commit('Some message')"

The bash.exe executable in the current directory will be run.

Impact

The greatest impact is probably in applications that set Git.USE_SHELL = True for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run git, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.

An application that does not direct GitPython to use a shell to run git subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running bash.exe to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.

Possible solutions

A straightforward approach would be to address each bug directly:

  • When a shell is used, pass NoDefaultCurrentDirectoryInExePath into the subprocess environment, because in that scenario the subprocess is the cmd.exe shell that itself performs the path search.
  • Set NoDefaultCurrentDirectoryInExePath in the GitPython process environment during the Popen call made to run hooks with a bash.exe subprocess.

These need only be done on Windows.

Release Notes

gitpython-developers/GitPython (gitpython)

v3.1.41: - fix Windows security issue

Compare Source

The details about the Windows security issue can be found in this advisory.

Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.40...3.1.41

v3.1.40: - fix downstream CI

Compare Source

What's Changed

Full Changelog: gitpython-developers/GitPython@3.1.38...3.1.40

v3.1.38

Compare Source

What's Changed
New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.37...3.1.38

v3.1.37: - a proper fix CVE-2023-41040

Compare Source

What's Changed

Full Changelog: gitpython-developers/GitPython@3.1.36...3.1.37

v3.1.36

Compare Source

v3.1.35: - a fix for CVE-2023-41040

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.34...3.1.35

v3.1.34: - fix resource leaking

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.33...3.1.34

v3.1.33: - with security fix

Compare Source

What's Changed
New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.32...3.1.33

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Oct 23, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 85b5e89 to 5cbfb7f Compare October 23, 2023 11:32
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Oct 23, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 5cbfb7f to 8b355b5 Compare October 23, 2023 13:17
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Oct 23, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 8b355b5 to 63d2092 Compare October 23, 2023 14:30
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Oct 28, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 63d2092 to 08963c1 Compare October 28, 2023 10:09
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Oct 28, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 08963c1 to 7e2bb01 Compare October 28, 2023 10:16
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Oct 28, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 7e2bb01 to 920778e Compare October 28, 2023 10:17
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Oct 28, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 920778e to 330cae4 Compare October 28, 2023 10:18
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Nov 6, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 330cae4 to dd620b4 Compare November 6, 2023 07:52
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Nov 6, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from dd620b4 to 8e11c8e Compare November 6, 2023 10:43
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Nov 12, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 8e11c8e to bff87f8 Compare November 12, 2023 14:12
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Nov 12, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from bff87f8 to 2bab7d6 Compare November 12, 2023 15:58
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Nov 16, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch 2 times, most recently from 479b63d to 7145503 Compare November 16, 2023 14:50
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Nov 16, 2023
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Nov 21, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 7145503 to d735a5c Compare November 21, 2023 17:04
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Nov 21, 2023
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from d735a5c to b8d38ec Compare November 21, 2023 17:05
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 81b5c53 to 3a3dc09 Compare January 9, 2024 11:57
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.40 [SECURITY] Jan 9, 2024
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.40 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Jan 9, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch 2 times, most recently from 1b72bd3 to 32913aa Compare January 16, 2024 01:58
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.41 [SECURITY] Jan 16, 2024
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.41 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Jan 16, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch 2 times, most recently from efdb841 to 30cb189 Compare January 16, 2024 11:37
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.41 [SECURITY] Jan 16, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 30cb189 to ff16359 Compare January 16, 2024 13:21
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.41 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Jan 16, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from ff16359 to ed76d63 Compare January 16, 2024 17:18
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.41 [SECURITY] Jan 16, 2024
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.41 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Jan 16, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch 2 times, most recently from 25c8e54 to 74b561e Compare January 22, 2024 16:06
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.41 [SECURITY] Jan 22, 2024
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.41 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Jan 22, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 74b561e to 4543341 Compare January 22, 2024 16:08
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.41 [SECURITY] Jan 22, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 4543341 to 7f01201 Compare January 22, 2024 16:49
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.41 [SECURITY] Update dependency gitpython to v3.1.33 [SECURITY] Jan 22, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 7f01201 to 68c473f Compare January 22, 2024 19:46
@renovate-bot renovate-bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 68c473f to 27e97c4 Compare April 21, 2024 08:19
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.33 [SECURITY] Update dependency gitpython to v3.1.41 [SECURITY] Apr 21, 2024
@renovate-bot renovate-bot changed the title Update dependency gitpython to v3.1.41 [SECURITY] Update dependency gitpython to v3.1.41 [SECURITY] - autoclosed Apr 21, 2024
@renovate-bot renovate-bot deleted the renovate/pypi-gitpython-vulnerability branch April 21, 2024 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot