website/blog/1-17-3-git-security/index.html

328 lines
12 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width" />
<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
<link rel="manifest" href="/site.webmanifest" />
<link rel="me" href="https://pouet.chapril.org/@gna" />
<link rel="stylesheet" href="https://gna.org/main.css" />
<link
rel="stylesheet"
media="screen and (max-width: 1300px)"
href="https://gna.org/mobile.css"
/>
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="https://gna.org/main.css" />
<link
rel="stylesheet"
media="screen and (max-width: 1300px)"
href="https://gna.org/mobile.css"
/>
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>[security] Gitea &lt; 1.17.3 git option injection explained | Gna!: Managed Gitea Hosting </title>
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="description" content="Prior to Gitea 1.17.3 the web interface that displays the commit graph could be used to inject git options used by the Gitea server." />
<meta property="og:title" content="[security] Gitea &lt; 1.17.3 git option injection explained | Gna!: Managed Gitea Hosting " />
<meta property="og:type" content="article" />
<meta property="og:url" content="https:&#x2F;&#x2F;gna.org" />
<meta property="og:description" content="Prior to Gitea 1.17.3 the web interface that displays the commit graph could be used to inject git options used by the Gitea server." />
<meta
property="og:site_name"
content="[security] Gitea &lt; 1.17.3 git option injection explained | Gna!: Managed Gitea Hosting "
/>
<link
rel="apple-touch-icon"
sizes="57x57"
href="https://gna.org/apple-icon-57x57.png?h=c21de14cfdf862a6472ae977557fa048a7c36d39337e61d3274705e9bd8e857f"
/>
<link
rel="apple-touch-icon"
sizes="60x60"
href="https://gna.org/apple-icon-60x60.png?h=67089d9025a52d0d1ddce450078c7acefe2c150a2427dec9f5e13c6314f74281"
/>
<link
rel="apple-touch-icon"
sizes="72x72"
href="https://gna.org/apple-icon-72x72.png?h=70725943de8884804f9da28202ced0ad6fed483ae9cf8f6d874aa133e30cb693"
/>
<link
rel="apple-touch-icon"
sizes="76x76"
href="https://gna.org/apple-icon-76x76.png?h=1e6e8072df3b21bdcea254a42aac6e993611e845f91ddd79f6f35a6c441710a5"
/>
<link
rel="apple-touch-icon"
sizes="114x114"
href="https://gna.org/apple-icon-114x114.png?h=c20099f8190ed3962fab5726c5594857a871cdb3ee98439343c622cd3727fed6"
/>
<link
rel="apple-touch-icon"
sizes="120x120"
href="https://gna.org/apple-icon-120x120.png?h=4df78e402e60b58c6d44764678bdd737b5b6a836aeb85fb75fa49f706f7e8c81"
/>
<link
rel="apple-touch-icon"
sizes="144x144"
href="https://gna.org/apple-icon-144x144.png?h=0c44e6655d714f89ee95cc151032d1f0dc3204bd24d1ca2ee9d94692d4ede84d"
/>
<link
rel="apple-touch-icon"
sizes="152x152"
href="https://gna.org/apple-icon-152x152.png?h=157918f883ff95d4eeb6452d0ebb61ca5e21ea0dcac1aefe825f3e2f3999052f"
/>
<link
rel="apple-touch-icon"
sizes="180x180"
href="https://gna.org/apple-icon-180x180.png?h=7d5c16d379b7db6d8ea5aae64921d7162b84f543763acd8fc7c107f80a600213"
/>
<link
rel="icon"
type="image/png"
sizes="192x192"
href="https://gna.org/android-icon-192x192.png?h=095e3835b082dba07f606c33fa6f71bcd671a71e987b0ab2e46dcddceef52b9c"
/>
<link
rel="icon"
type="image/png"
sizes="32x32"
href="https://gna.org/favicon-32x32.png?h=1bf54bf111572b1d1639192b5360ee4345f702e563aa71bb66610a95a7290437"
/>
<link
rel="icon"
type="image/png"
sizes="96x96"
href="https://gna.org/favicon-96x96.png?h=5a6ed96c09f5055526e3b236867a1272a26f7ba957d48b267bccd51ef0845fbe"
/>
<link
rel="icon"
type="image/png"
sizes="16x16"
href="https://gna.org/favicon-16x16.png?h=1e5fa59ae78516055f662e40bb2599dc3828a7adb34567e9d8d2cfcaa6b7aa5f"
/>
<link
rel="manifest"
href="https://gna.org/manifest.json?h=27eca3e8297eb7ff340deb3849b210185a459b3845456aa4d0036f6d966b3518"
/>
<meta name="msapplication-TileColor" content="#ffffff" />
<meta
name="msapplication-TileImage"
content="https://gna.org/ms-icon-144x144.png?h=8170ab51b871b84b8f98bd03cf441afdffb2998b7dfffb04abb7ebf5deeb1f94"
/>
<meta name="theme-color" content="#ffffff" />
</head>
</head>
<body class="base">
<header>
<nav class="nav__container">
<input type="checkbox" class="nav__toggle" id="nav__toggle" />
<div class="nav__header">
<a class="nav__logo-container" href="/">
<img src="https://gna.org/gna-logo-rectangle-48px.png?h=ba9eab043277265f94c51b87d5e14f9ca35789403ecb8afc9bd1e33b13c6a2a5" alt="Gna!"/>
</a>
<label class="nav__hamburger-menu" for="nav__toggle">
<span class="nav__hamburger-inner"></span>
</label>
</div>
<div class="nav__spacer--small"></div>
<div class="nav__link-group">
<div class="nav__link-container">
<a class="nav__link" rel="noreferrer" href="&#x2F;about&#x2F;">About</a>
</div>
<div class="nav__link-container">
<a class="nav__link" rel="noreferrer" href="&#x2F;blog&#x2F;">Blog</a>
</div>
<div class="nav__link-container">
<a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;matrix.to&#x2F;#&#x2F;#gna:matrix.batsense.net">Chat</a>
</div>
<div class="nav__link-container">
<a class="nav__link" rel="noreferrer" href="&#x2F;gitea-clinic&#x2F;">Clinic</a>
</div>
<div class="nav__link-container">
<a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;forum.gna.org">Forum</a>
</div>
<div class="nav__link-container">
<a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;pouet.chapril.org&#x2F;@gna">Mastodon</a>
</div>
</div>
<div class="nav__spacer"></div>
<div class="nav__link-group--small">
<div class="nav__link-container">
<a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;hosteadashboard.gna.org&#x2F;login&#x2F;">Login</a>
</div>
<div class="nav__link-container--action">
<a class="nav__link" rel="noreferrer" href="https:&#x2F;&#x2F;hosteadashboard.gna.org&#x2F;register&#x2F;">Join</a>
</div>
</div>
</nav>
</header>
<!-- See ../sass/main.scss. Required for pushing footer to the very
bottom of the page -->
<div class="main__content-container">
<main>
<div class="page__container">
<h1 class="page__group-title">[security] Gitea &lt; 1.17.3 git option injection explained</h1>
<p class="blog__post-meta">
<a href="https:&#x2F;&#x2F;dachary.org" class="post__author">Loïc Dachary</a>
&middot; 17
October
,
2022 &middot; <b>2 min read</b>
</p>
<div class="blog__content">
<p><a href="https://pouet.chapril.org/@gna/109176306611564720">Gitea 1.17.3</a> includes a <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/commit/d98c5db58fdeded983bf5c0fe781fd7b77a1235f">security patch</a> that prevents the injection of arguments to the git command run by Gitea.</p>
<p>When displaying the commit graph <a href="https://gitea.gna.org/Gna/organization/graph?branch=refs%2Fheads%2Fmaster">for the master branch</a>, the URL contains the argument <strong>refs%2Fheads%2Fmaster</strong> that is passed to the <code>git</code> command with something like:</p>
<pre data-lang="shell" style="background-color:#2b303b;color:#c0c5ce;" class="language-shell "><code class="language-shell" data-lang="shell"><span>git log --graph refs/head/master
</span></code></pre>
<p>If, by accident or maliciously, the branch name starts with a dash, it would be mistaken to be a <code>git</code> argument instead of a branch name. For instance <strong>-h</strong> could be passed to the <code>git</code> command as:</p>
<pre data-lang="shell" style="background-color:#2b303b;color:#c0c5ce;" class="language-shell "><code class="language-shell" data-lang="shell"><span>git log --graph -h
</span></code></pre>
<p>In reality the <code>rev-list</code> command is called before <code>log</code> and in Gitea 1.17.2 the debug output will show something like:</p>
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>2022/10/17 07:17:17 ...s/web/repo/commit.go:124:Graph() [W] [634d017d] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: exit status 129 - usage: git rev-list [&lt;options&gt;] &lt;commit-id&gt;... [-- &lt;path&gt;...]
</span><span>...
</span></code></pre>
<p>In Gitea 1.17.3 when the same command is run, the option is discarded and the debug output shows something like:</p>
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>2022/10/17 07:25:05 ...dules/git/command.go:166:Run() [E] [634d0351] git command is broken: /usr/bin/git -c protocol.version=2 -c uploadpack.allowfilter=true -c uploadpack.allowAnySHA1InWant=true -c credential.helper= rev-list --count, broken args: -h
</span><span>2022/10/17 07:25:05 ...s/web/repo/commit.go:124:Graph() [W] [634d0351] GetCommitGraphsCount error for generate graph exclude prs: false branches: [-h] in 1:root/test, Will Ignore branches and try again. Underlying Error: git command is broken
</span></code></pre>
</div>
<br>
<br>
<div class="blog__post-tag-container">
<a class="blog__post-tag" href="/tags/gna">#gna</a>
<a class="blog__post-tag" href="/tags/gitea">#gitea</a>
<a class="blog__post-tag" href="/tags/security">#security</a>
<a class="blog__post-tag" href="/tags/problem">#problem</a>
<a class="blog__post-tag" href="/tags/upgrade">#upgrade</a>
<a class="blog__post-tag" href="/tags/solution">#solution</a>
</div>
</div>
</main>
<footer>
<div class="footer__container">
<!-- <div class="footer__column"> --->
<p class="footer__column license__conatiner">
All text <a
class="license__link"
rel="noreferrer"
href="http://creativecommons.org/licenses/by-sa/4.0/"
target="_blank"
>&nbsp;CC-BY-SA&nbsp;</a
>
&amp; code
<a
class="license__link"
rel="noreferrer"
href="https://www.gnu.org/licenses/agpl-3.0.en.html"
target="_blank"
>&nbsp;AGPL&nbsp;</a
>
|
<a
class="license__link"
rel="noreferrer"
href="https://www.eff.org/issues/do-not-track/amp/"
target="_blank"
>&nbsp;No AMP&nbsp;</a
>
</p>
<!-- </div> -->
<div class="footer__column--center">
<a href="/blog/atom.xml" target="_blank" rel="noopener" title="RSS">
<img
src="https://gna.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
class="footer__icon"
alt="Email icon"
/>
</a>
</div>
<div class="footer__column">
<a href="/about" title="About">About</a>
<a href="/coc" title="Code of Conduct">CoC</a>
<span class="footer__column-divider--mobile-only">|</span>
<a href="/legalese" title="Legalese">Legalese</a>
<a href="/privacy-policy" title="Privacy Policy">Privacy</a>
<span class="footer__column-divider--mobile-only">|</span>
<a
href="https://gitea.gna.org/Gna"
rel="noreferrer"
target="_blank"
title="Status"
>Source Code</a
>
<a href="/tos" title="Terms of Service">ToS</a>
</div>
</div>
</footer>
</div>
</body>
</html>