Date: Thu, 16 Feb 2017 12:08:43 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: git-hub: missing sanitization of data received from GitHub * Jakub Wilk <jwilk@...lk.net>, 2016-09-29, 17:40: >git-hub <https://github.com/sociomantic-tsunami/git-hub> is a Git >command-line interface to GitHub. When you ask it to clone a >repository, it will call: > > git clone <repourl> <reponame> > >where both <repourl> and <reponame> come from GitHub API, without any >sanitization. Operators of the GitHub server (or a MitM attacker[*]) >could exploit it for directory traversal or, more excitingly, for >arbitrary code execution, either via option injection, e.g.: > > git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl > >or more directly with git-remote-ext, e.g.: > > git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo git-spindle is another GitHub CLI, which can be exploited in the same way: https://github.com/seveas/git-spindle/issues/154 (git-spindle used to be called "git-hub", but this is different codebase that sociomantic's git-hub.) -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ