Gna
/
website
2
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

git option injection
ci/woodpecker/push/woodpecker Pipeline was successful Details

master
Loïc Dachary 2022-10-17 09:34:04 +02:00
parent 34ebdbe67a
commit 6760e26d3e
Signed by: dachary
GPG Key ID: 992D23B392F9E4F2
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
content/blog/2022-10-17-1.17.3-git-security.md Normal file
View File

@ -0,0 +1,38 @@
+++
title = "[security] Gitea < 1.17.3 git option injection explained"
date = 2022-10-17
description = "."
[taxonomies]
tags = ['gna', 'gitea', 'security', 'problem', 'upgrade', 'solution']
[extra]
author = 'dachary'
+++
[Gitea 1.17.3](https://pouet.chapril.org/@gna/109176306611564720) includes a [security patch](https://lab.forgefriends.org/forgefriends/forgefriends/-/commit/d98c5db58fdeded983bf5c0fe781fd7b77a1235f) that prevents the injection of arguments to the git command run by Gitea.
When displaying the commit graph [for the master branch](https://gitea.gna.org/Gna/organization/graph?branch=refs%2Fheads%2Fmaster), the URL contains the argument **refs%2Fheads%2Fmaster** that is passed to the `git` command with something like:
```shell
git log --graph refs/head/master
```
If, by accident or maliciously, the branch name with a dash, it would be mistaken to be a `git` argument instead of a branch name. For instance **-h** could be passed to the `git` command as:
```shell
git log --graph -h
```
In reality the `rev-list` command is called before `log` and in Gitea 1.17.2 the debug output will show something like:
```
2022/10/17 07:17:17 ...s/web/repo/commit.go:124:Graph() [W] [634d017d] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: exit status 129 - usage: git rev-list [<options>] <commit-id>... [-- <path>...]
...
```
In Gitea 1.17.3 when the same command is run, the option is discarded and the debug output shows something like:
```
2022/10/17 07:25:05 ...dules/git/command.go:166:Run() [E] [634d0351] git command is broken: /usr/bin/git -c protocol.version=2 -c uploadpack.allowfilter=true -c uploadpack.allowAnySHA1InWant=true -c credential.helper= rev-list --count, broken args: -h
2022/10/17 07:25:05 ...s/web/repo/commit.go:124:Graph() [W] [634d0351] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: git command is broken
```