[security] Gitea < 1.17.3 git option injection explained
Gitea 1.17.3 includes a security patch that prevents the injection of arguments to the git command run by Gitea.
When displaying the commit graph for the master branch, the URL contains the argument refs%2Fheads%2Fmaster that is passed to the git
command with something like:
git log --graph refs/head/master
If, by accident or maliciously, the branch name with a dash, it would be mistaken to be a git
argument instead of a branch name. For instance -h could be passed to the git
command as:
git log --graph -h
In reality the rev-list
command is called before log
and in Gitea 1.17.2 the debug output will show something like:
2022/10/17 07:17:17 ...s/web/repo/commit.go:124:Graph() [W] [634d017d] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: exit status 129 - usage: git rev-list [<options>] <commit-id>... [-- <path>...]
...
In Gitea 1.17.3 when the same command is run, the option is discarded and the debug output shows something like:
2022/10/17 07:25:05 ...dules/git/command.go:166:Run() [E] [634d0351] git command is broken: /usr/bin/git -c protocol.version=2 -c uploadpack.allowfilter=true -c uploadpack.allowAnySHA1InWant=true -c credential.helper= rev-list --count, broken args: -h
2022/10/17 07:25:05 ...s/web/repo/commit.go:124:Graph() [W] [634d0351] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: git command is broken