2.2 KiB
+++ title = "[security] Gitea < 1.17.3 git option injection explained" date = 2022-10-17 description = "Prior to Gitea 1.17.3 the web interface that displays the commit graph could be used to inject git options used by the Gitea server." [taxonomies] tags = ['gna', 'gitea', 'security', 'problem', 'upgrade', 'solution']
[extra] author = 'dachary' +++
Gitea 1.17.3 includes a security patch that prevents the injection of arguments to the git command run by Gitea.
When displaying the commit graph for the master branch, the URL contains the argument refs%2Fheads%2Fmaster that is passed to the git command with something like:
git log --graph refs/head/master
If, by accident or maliciously, the branch name starts with a dash, it would be mistaken to be a git argument instead of a branch name. For instance -h could be passed to the git command as:
git log --graph -h
In reality the rev-list command is called before log and in Gitea 1.17.2 the debug output will show something like:
2022/10/17 07:17:17 ...s/web/repo/commit.go:124:Graph() [W] [634d017d] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: exit status 129 - usage: git rev-list [<options>] <commit-id>... [-- <path>...]
...
In Gitea 1.17.3 when the same command is run, the option is discarded and the debug output shows something like:
2022/10/17 07:25:05 ...dules/git/command.go:166:Run() [E] [634d0351] git command is broken: /usr/bin/git -c protocol.version=2 -c uploadpack.allowfilter=true -c uploadpack.allowAnySHA1InWant=true -c credential.helper= rev-list --count, broken args: -h
2022/10/17 07:25:05 ...s/web/repo/commit.go:124:Graph() [W] [634d0351] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: git command is broken