Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: harden for option injection #40

Merged
merged 4 commits into from
Mar 13, 2024
Merged

fix: harden for option injection #40

merged 4 commits into from
Mar 13, 2024

Conversation

sparten11740
Copy link
Collaborator

Explicitly whitelist the flags that can be used with the commit and resetLastCommit function

Closes #37

@sparten11740 sparten11740 self-assigned this Mar 13, 2024
@sparten11740 sparten11740 changed the title fix: haden for option injection fix: harden for option injection Mar 13, 2024
@sparten11740 sparten11740 force-pushed the sparten11740/fix/harden-for-option-injection branch from 49bffee to 6701f3f Compare March 13, 2024 14:21
@sparten11740 sparten11740 merged commit adf651a into master Mar 13, 2024
2 checks passed
@sparten11740 sparten11740 deleted the sparten11740/fix/harden-for-option-injection branch March 13, 2024 14:25
mbaraniak-exodus
mbaraniak-exodus reviewed Mar 13, 2024
View reviewed changes
Copy link

@mbaraniak-exodus mbaraniak-exodus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed. The implementation is way more secure than it was, but I would still recommend hardening.

src/utils/git.ts

export function add(pathSpecs: string[]) {
assert(
pathSpecs.every((it) => !it.startsWith('-')),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, this check in some corner cases will not be enough. There are multiple shell characters which will bypass this restriction. For example, run next command in bash:

git add ``-e
: !/bin/sh

git add ${}-e
: !/bin/sh

Our current implementation in not passing shell option to the nodeSpawnSync, leaving us safe.

const { stdout, stderr, status } = nodeSpawnSync(command, args, { encoding: 'utf8', ...options })

Nevertheless, if any client (or malicious actor via PP) will pass options with the shell=true, it would be easy to bypass startswith check

> node
const cp = require('child_process')
cp.spawnSync('git', ['add', '``-e'], { encoding: 'utf8', shell:false}) // not vulnerable
{
  status: 128,
  signal: null,
  output: [ null, '', "fatal: pathspec '``-e' did not match any files\n" ],
  pid: 38227,
  stdout: '',
  stderr: "fatal: pathspec '``-e' did not match any files\n"
}
> cp.spawnSync('git', ['add', '``-e'], { encoding: 'utf8', shell:true}) // vulnerable

@sparten11740 sparten11740 mentioned this pull request Mar 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbaraniak-exodus mbaraniak-exodus mbaraniak-exodus left review comments

@mvayngrib mvayngrib mvayngrib approved these changes

Assignees

@sparten11740 sparten11740

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Option injection hardening, src/utils/git.ts
3 participants
@sparten11740 @mvayngrib @mbaraniak-exodus