Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: update dependency gitpython to v3.1.41 [security] #2625

Conversation

renovate-bot
Copy link
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
GitPython ==3.1.40 -> ==3.1.41 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-22190

Summary

This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on Windows, a malicious git.exe or bash.exe may be run from an untrusted repository.

Details

Although GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.

When a shell is used

GitPython can be told to run git commands through a shell rather than as direct subprocesses, by passing shell=True to any method that accepts it, or by both setting Git.USE_SHELL = True and not passing shell=False. Then the Windows cmd.exe shell process performs the path search, and GitPython does not prevent that shell from finding and running git in the current directory.

When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call. Although the cmd.exe shell will honor this environment variable when present, GitPython does not currently pass it into the shell subprocess's environment.

Furthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location.

This also applies if Git.execute is called directly with shell=True (or after Git.USE_SHELL = True) to run any command.

When hook scripts are run

On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory.

This allows the author of an untrusted fork or branch to cause a malicious bash.exe to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious bash.exe and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious bash.exe.

Note that, while bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

PoC

On Windows, create a git.exe file in a repository. Then create a Repo object, and call any method through it (directly or indirectly) that supports the shell keyword argument with shell=True:

mkdir testrepo
git init testrepo
cp ... testrepo git.exe # Replace "..." with any executable of choice.
python -c "import git; print(git.Repo('testrepo').git.version(shell=True))"

The git.exe executable in the repository directory will be run.

Or use no Repo object, but do it from the location with the git.exe:

cd testrepo
python -c "import git; print(git.Git().version(shell=True))"

The git.exe executable in the current directory will be run.

For the scenario with hooks, install a hook in a repository, create a bash.exe file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:

mkdir testrepo
cd testrepo
git init
mv .git/hooks/pre-commit.sample .git/hooks/pre-commit
cp ... bash.exe # Replace "..." with any executable of choice.
echo "Some text" >file.txt
git add file.txt
python -c "import git; git.Repo().index.commit('Some message')"

The bash.exe executable in the current directory will be run.

Impact

The greatest impact is probably in applications that set Git.USE_SHELL = True for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run git, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.

An application that does not direct GitPython to use a shell to run git subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running bash.exe to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.

Possible solutions

A straightforward approach would be to address each bug directly:

  • When a shell is used, pass NoDefaultCurrentDirectoryInExePath into the subprocess environment, because in that scenario the subprocess is the cmd.exe shell that itself performs the path search.
  • Set NoDefaultCurrentDirectoryInExePath in the GitPython process environment during the Popen call made to run hooks with a bash.exe subprocess.

These need only be done on Windows.


Release Notes

gitpython-developers/GitPython (GitPython)

v3.1.41: - fix Windows security issue

Compare Source

The details about the Windows security issue can be found in this advisory.

Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.40...3.1.41


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot requested a review from a team as a code owner April 5, 2024 23:24
@trusted-contributions-gcf trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Apr 5, 2024
@product-auto-label product-auto-label bot added the size: xs Pull request size is extra small. label Apr 5, 2024
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Apr 5, 2024
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 5, 2024
Copy link

sonarqubecloud bot commented Apr 5, 2024

Quality Gate Passed Quality Gate passed for 'gapic-generator-java-root'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

Copy link

sonarqubecloud bot commented Apr 5, 2024

Quality Gate Passed Quality Gate passed for 'java_showcase_integration_tests'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@JoeWang1127 JoeWang1127 merged commit e41bd8f into googleapis:main Apr 6, 2024
28 of 29 checks passed
@renovate-bot renovate-bot deleted the renovate/pypi-GitPython-vulnerability branch April 6, 2024 01:00
lqiu96 pushed a commit that referenced this pull request Apr 18, 2024
🤖 I have created a release *beep* *boop*
---


<details><summary>2.39.0</summary>

##
[2.39.0](v2.38.1...v2.39.0)
(2024-04-18)


### Features

* add `libraries_bom_version` to generation configuration
([#2639](#2639))
([56c7ca5](56c7ca5))
* Add ChannelPoolSettings Getter for gRPC's ChannelProvider
([#2612](#2612))
([d0c5191](d0c5191))
* add config change
([#2604](#2604))
([8312706](8312706))
* add entry point
([#2616](#2616))
([b19fa33](b19fa33))
* add generation config comparator
([#2587](#2587))
([a94c2f0](a94c2f0))
* Add JavadocJar Task to build.gradle for self service libraries
([#2593](#2593))
([993f5ac](993f5ac))
* Client/StubSettings' getEndpoint() returns the resolved endpoint
([#2440](#2440))
([4942bc1](4942bc1))
* generate selected libraries
([#2598](#2598))
([739ddbb](739ddbb))
* Validate the Universe Domain inside Java-Core
([#2592](#2592))
([35d789f](35d789f))


### Bug Fixes

* add main to `generate_repo.py`
([#2607](#2607))
([fedeb32](fedeb32))
* correct deep-remove and deep-preserve regexes
([#2572](#2572))
([4c7fd88](4c7fd88))
* first attempt should use the min of RPC timeout and total timeout
([#2641](#2641))
([0349232](0349232))
* remove duplicated calls to AutoValue builders
([#2636](#2636))
([53a3727](53a3727))
* remove unnecessary slf4j and AbstractGoogleClientRequest native image
configs
([0cb7d0e](0cb7d0e))
* remove unnecessary slf4j and AbstractGoogleClientRequest native image
configs
([#2628](#2628))
([0cb7d0e](0cb7d0e))


### Dependencies

* update arrow.version to v15.0.2
([#2589](#2589))
([777acf3](777acf3))
* update dependency
com.google.cloud.opentelemetry:detector-resources-support to v0.28.0
([#2649](#2649))
([e4ed176](e4ed176))
* update dependency gitpython to v3.1.41 [security]
([#2625](#2625))
([e41bd8f](e41bd8f))
* update dependency net.bytebuddy:byte-buddy to v1.14.13
([#2646](#2646))
([73ac5a4](73ac5a4))
* update dependency org.threeten:threeten-extra to v1.8.0
([#2650](#2650))
([226325a](226325a))
* update dependency org.threeten:threetenbp to v1.6.9
([#2602](#2602))
([371753e](371753e))
* update dependency org.threeten:threetenbp to v1.6.9
([#2665](#2665))
([8935bc8](8935bc8))
* update google api dependencies
([#2584](#2584))
([cd20604](cd20604))
* update googleapis/java-cloud-bom digest to 7071341
([#2608](#2608))
([8d74140](8d74140))
* update netty dependencies to v4.1.109.final
([#2597](#2597))
([8990693](8990693))
* update opentelemetry-java monorepo to v1.37.0
([#2652](#2652))
([f8fa2e9](f8fa2e9))
* update protobuf dependencies to v3.25.3
([#2491](#2491))
([b0e5041](b0e5041))
* update slf4j monorepo to v2.0.13
([#2647](#2647))
([f030e29](f030e29))
</details>

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
lqiu96 pushed a commit that referenced this pull request May 22, 2024
🤖 I have created a release *beep* *boop*
---


<details><summary>2.39.0</summary>

##
[2.39.0](v2.38.1...v2.39.0)
(2024-04-18)


### Features

* add `libraries_bom_version` to generation configuration
([#2639](#2639))
([56c7ca5](56c7ca5))
* Add ChannelPoolSettings Getter for gRPC's ChannelProvider
([#2612](#2612))
([d0c5191](d0c5191))
* add config change
([#2604](#2604))
([8312706](8312706))
* add entry point
([#2616](#2616))
([b19fa33](b19fa33))
* add generation config comparator
([#2587](#2587))
([a94c2f0](a94c2f0))
* Add JavadocJar Task to build.gradle for self service libraries
([#2593](#2593))
([993f5ac](993f5ac))
* Client/StubSettings' getEndpoint() returns the resolved endpoint
([#2440](#2440))
([4942bc1](4942bc1))
* generate selected libraries
([#2598](#2598))
([739ddbb](739ddbb))
* Validate the Universe Domain inside Java-Core
([#2592](#2592))
([35d789f](35d789f))


### Bug Fixes

* add main to `generate_repo.py`
([#2607](#2607))
([fedeb32](fedeb32))
* correct deep-remove and deep-preserve regexes
([#2572](#2572))
([4c7fd88](4c7fd88))
* first attempt should use the min of RPC timeout and total timeout
([#2641](#2641))
([0349232](0349232))
* remove duplicated calls to AutoValue builders
([#2636](#2636))
([53a3727](53a3727))
* remove unnecessary slf4j and AbstractGoogleClientRequest native image
configs
([0cb7d0e](0cb7d0e))
* remove unnecessary slf4j and AbstractGoogleClientRequest native image
configs
([#2628](#2628))
([0cb7d0e](0cb7d0e))


### Dependencies

* update arrow.version to v15.0.2
([#2589](#2589))
([777acf3](777acf3))
* update dependency
com.google.cloud.opentelemetry:detector-resources-support to v0.28.0
([#2649](#2649))
([e4ed176](e4ed176))
* update dependency gitpython to v3.1.41 [security]
([#2625](#2625))
([e41bd8f](e41bd8f))
* update dependency net.bytebuddy:byte-buddy to v1.14.13
([#2646](#2646))
([73ac5a4](73ac5a4))
* update dependency org.threeten:threeten-extra to v1.8.0
([#2650](#2650))
([226325a](226325a))
* update dependency org.threeten:threetenbp to v1.6.9
([#2602](#2602))
([371753e](371753e))
* update dependency org.threeten:threetenbp to v1.6.9
([#2665](#2665))
([8935bc8](8935bc8))
* update google api dependencies
([#2584](#2584))
([cd20604](cd20604))
* update googleapis/java-cloud-bom digest to 7071341
([#2608](#2608))
([8d74140](8d74140))
* update netty dependencies to v4.1.109.final
([#2597](#2597))
([8990693](8990693))
* update opentelemetry-java monorepo to v1.37.0
([#2652](#2652))
([f8fa2e9](f8fa2e9))
* update protobuf dependencies to v3.25.3
([#2491](#2491))
([b0e5041](b0e5041))
* update slf4j monorepo to v2.0.13
([#2647](#2647))
([f030e29](f030e29))
</details>

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size: xs Pull request size is extra small.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants