-
Notifications
You must be signed in to change notification settings - Fork 562
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix CVE-2024-53859 by applying the patch in the vendor directory for …
…go-gh module
- Loading branch information
1 parent
2f3f2f9
commit 33c91f9
Showing
2 changed files
with
81 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| From 5d6079f8ad16f553cdaea1d56fedcb4a3a1db082 Mon Sep 17 00:00:00 2001 | ||
| From: William Martin <[email protected]> | ||
| Date: Thu, 31 Oct 2024 14:07:48 +0100 | ||
| Subject: [PATCH] Fix token exposure for non-gh hosts in codespaces | ||
|
|
||
| This commit introduces a fix for `GITHUB_TOKEN` being exposed to non-github hosts while in a codespace. We no longer return the `GITHUB_TOKEN` for any host except github.com and github.localhost while in a codespace (while the env var `CODESPACES` is `true`). | ||
|
|
||
| This commit also changes how tokens are returned when no oAuth token is found in a config. Previously, an empty string and the `oauthToken` source was returned. Now, we return an empty string and the `defaultSource` source. The intention behind this change is to make more logical sense by not returning an `oauthToken` source when we didn't get any token. It's also worth mentioning that this change also improves our test coverage - all lines in `tokenForHost` are now covered by tests, and we don't have unreachable code. | ||
|
|
||
| Co-authored-by: Kynan Ware <[email protected]> | ||
|
|
||
| Modified patch to apply to AzureLinux | ||
| Modified-by: Sandeep Karambelkar <[email protected]> | ||
| --- | ||
| pkg/auth/auth.go | 27 ++++++++---- | ||
| 1 file changed, 91 insertions(+), 33 deletions(-) | ||
|
|
||
| diff --git a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go | ||
| index a903736..4378e75 100644 | ||
| --- a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go | ||
| +++ b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go | ||
| @@ -63,6 +63,15 @@ func TokenFromEnvOrConfig(host string) (string, string) { | ||
|
|
||
| func tokenForHost(cfg *config.Config, host string) (string, string) { | ||
| host = NormalizeHostname(host) | ||
| + | ||
| + if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces { | ||
| + if host == github || host == localhost { | ||
| + if token := os.Getenv(githubToken); token != "" { | ||
| + return token, githubToken | ||
| + } | ||
| + } | ||
| + } | ||
| + | ||
| if IsEnterprise(host) { | ||
| if token := os.Getenv(ghEnterpriseToken); token != "" { | ||
| return token, ghEnterpriseToken | ||
| @@ -70,25 +79,25 @@ func tokenForHost(cfg *config.Config, host string) (string, string) { | ||
| if token := os.Getenv(githubEnterpriseToken); token != "" { | ||
| return token, githubEnterpriseToken | ||
| } | ||
| - if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces { | ||
| - if token := os.Getenv(githubToken); token != "" { | ||
| - return token, githubToken | ||
| - } | ||
| - } | ||
| if cfg != nil { | ||
| - token, _ := cfg.Get([]string{hostsKey, host, oauthToken}) | ||
| - return token, oauthToken | ||
| + if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" { | ||
| + return token, oauthToken | ||
| + } | ||
| } | ||
| + return "", defaultSource | ||
| } | ||
| + | ||
| if token := os.Getenv(ghToken); token != "" { | ||
| return token, ghToken | ||
| } | ||
| if token := os.Getenv(githubToken); token != "" { | ||
| return token, githubToken | ||
| } | ||
| + | ||
| if cfg != nil { | ||
| - token, _ := cfg.Get([]string{hostsKey, host, oauthToken}) | ||
| - return token, oauthToken | ||
| + if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" { | ||
| + return token, oauthToken | ||
| + } | ||
| } | ||
| return "", defaultSource | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: GitHub official command line tool | ||
| Name: gh | ||
| Version: 2.62.0 | ||
| Release: 2%{?dist} | ||
| Release: 3%{?dist} | ||
| License: MIT | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -15,6 +15,7 @@ Source1: %{name}-%{version}-vendor.tar.gz | |
|
|
||
| Patch0: 0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch | ||
| Patch1: CVE-2024-54132.patch | ||
| Patch2: CVE-2024-53859.patch | ||
| BuildRequires: golang < 1.23 | ||
| BuildRequires: git | ||
| Requires: git | ||
|
|
@@ -25,10 +26,12 @@ Requires: git | |
| GitHub official command line tool. | ||
|
|
||
| %prep | ||
| %autosetup -p1 -n cli-%{version} | ||
| # Don't patch during setup to apply vendor package 'go-gh' patch CVE-2024-53859.patch | ||
| %autosetup -N -n cli-%{version} | ||
| tar --no-same-owner -xf %{SOURCE1} | ||
| %autopatch -p1 | ||
|
|
||
| %build | ||
| tar --no-same-owner -xf %{SOURCE1} | ||
| export GOPATH=%{our_gopath} | ||
| # No mod download use vednor cache locally | ||
| export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external" | ||
|
|
@@ -57,6 +60,9 @@ make test | |
| %{_datadir}/zsh/site-functions/_gh | ||
|
|
||
| %changelog | ||
| * Wed Jan 08 2025 Sandeep Karambelkar <[email protected]> - 2.62.0-3 | ||
| - Patch CVE-2024-53859 | ||
|
|
||
| * Fri Dec 13 2024 Sandeep Karambelkar <[email protected]> - 2.62.0-2 | ||
| - Patch CVE-2024-54132 | ||
|
|
||
|
|
||