Update dependency gitpython to v3.1.33 [SECURITY] #17
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.1.31
->==3.1.33
GitHub Vulnerability Alerts
CVE-2023-40590
Summary
When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the
git
command, if a user runs GitPython from a repo has agit.exe
orgit
executable, that program will be run instead of the one in the user'sPATH
.Details
This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.
The execution of the
git
command happens inhttps://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996
And there are other commands executed that should probably be aware of this problem.
PoC
On a Windows system, create a
git.exe
orgit
executable in any directory, and import or run GitPython from that directoryThe git executable from the current directory will be run.
Impact
An attacker can trick a user to download a repository with a malicious
git
executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.Possible solutions
C:\\Program Files\\Git\\cmd\\git.EXE
(default git path installation).GIT_PYTHON_GIT_EXECUTABLE
environment variable on Windows systems.GIT_PYTHON_GIT_EXECUTABLE
env var to an absolute path.PATH
environment variable (suggested by @Byron)Note
This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.
Release Notes
gitpython-developers/GitPython (gitpython)
v3.1.33
: - with security fixCompare Source
What's Changed
New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.32...3.1.33
v3.1.32
: - with another security updateCompare Source
What's Changed
New Contributors
Full Changelog: gitpython-developers/GitPython@3.1.31...3.1.32
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.