Skip to content

Commit 2aa0bee

Browse files
authored
chore(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (open-component-model#2574)
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | indirect | patch | `v5.19.0` → `v5.19.1` | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/go-git/go-git/badge)](https://securityscorecards.dev/viewer/?uri=github.com/go-git/go-git) | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..open-component-model/issues/331) for more information. --- ### go-git: Improper single-quote escaping in go-git SSH transport [CVE-2026-45570](https://nvd.nist.gov/vuln/detail/CVE-2026-45570) / [GHSA-m7cr-m3pv-hgrp](https://redirect.github.com/advisories/GHSA-m7cr-m3pv-hgrp) <details> <summary>More information</summary> #### Details ##### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedded `'` becomes the `'\''` close-escape-reopen sequence and the whole path round-trips as a single quoted argument. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is `/bin/sh` or `/bin/bash`, or a `ForceCommand` wrapper that re-evaluates `$SSH_ORIGINAL_COMMAND`), those additional tokens execute in that account's command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical `git-shell` setup, are not affected. The vulnerable behaviour is on the SSH server side, not in `go-git`: the same bytes can be produced by any SSH client. The change in `go-git` is defense-in-depth that restores parity with canonical Git's wire format and prevents `go-git` from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths. ##### Patches Users should upgrade to a patched version in order to mitigate this issue. The fix ports `sq_quote_buf` from canonical Git into `go-git`'s SSH transport so that the wire output is byte-identical to what `git` itself would send for the same input. Versions prior to `v5` are likely to be affected, users are recommended to upgrade to a supported go-git version. ##### Credit Thanks to @&#8203;N0zoM1z0 for reporting this to the `go-git` project. :bow: #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp) - [https://github.com/advisories/GHSA-m7cr-m3pv-hgrp](https://redirect.github.com/advisories/GHSA-m7cr-m3pv-hgrp) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-m7cr-m3pv-hgrp) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### go-git: Crafted repositories may modify main and submodule .git directories [CVE-2026-45571](https://nvd.nist.gov/vuln/detail/CVE-2026-45571) / [GHSA-crhj-59gh-8x96](https://redirect.github.com/advisories/GHSA-crhj-59gh-8x96) <details> <summary>More information</summary> #### Details ##### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. Some attack vectors were platform-specific: certain payloads affected only Windows users, others affected only macOS users, and some applied across all supported platforms. Using non-descendant `go-billy` filesystem instances, or different filesystem types, for the `Storer` and `Worktree` may provide some isolation against `.git` directory manipulation. For example, users that store the `.git` directory through `memfs` while using `osfs` for the worktree are not affected by this vulnerability in the main repository, because repository metadata is not materialized inside the worktree filesystem. However, this isolation does not necessarily apply when the repository contains submodules, since submodule dotgit directories may still be represented or materialized within the worktree context. It is important to note that exploitation requires a maliciously crafted repository payload. Users should always exercise caution when interacting with repositories or Git servers they do not trust. ##### Patches Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to `v5` are likely to be affected, users are recommended to upgrade to a supported go-git version. ##### Credits Thanks to @&#8203;kodareef5, @&#8203;AyushParkara and @&#8203;N0zoM1z0 for reporting this to the go-git project in three separate reports. 🙇 #### Severity - CVSS Score: 5.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96) - [https://github.com/advisories/GHSA-crhj-59gh-8x96](https://redirect.github.com/advisories/GHSA-crhj-59gh-8x96) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-crhj-59gh-8x96) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.19.1`](https://redirect.github.com/go-git/go-git/releases/tag/v5.19.1) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.19.0...v5.19.1) #### What's Changed - v5: plumbing: transport/ssh, Shell-quote path by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2068](https://redirect.github.com/go-git/go-git/pull/2068) - v5: git: submodule, Fix relative URL resolution by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2070](https://redirect.github.com/go-git/go-git/pull/2070) - v5: git: submodule, canonical remote for relative URLs by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2074](https://redirect.github.com/go-git/go-git/pull/2074) - v5: git: submodule, error on remote without URLs by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2078](https://redirect.github.com/go-git/go-git/pull/2078) - v5: plumbing: format/idxfile, Validate offset64 indices by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2084](https://redirect.github.com/go-git/go-git/pull/2084) - v5: \*: Reject malformed variable-length integers by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2092](https://redirect.github.com/go-git/go-git/pull/2092) - v5: plumbing: format/packfile, Tighten delta validation by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2091](https://redirect.github.com/go-git/go-git/pull/2091) - v5: Add `worktreeFilesystem` wrapper for worktree and hardening by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2100](https://redirect.github.com/go-git/go-git/pull/2100) - v5: config: validate submodule names by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2082](https://redirect.github.com/go-git/go-git/pull/2082) - build: Update module github.com/go-git/go-git/v5 to v5.19.0 \[SECURITY] (releases/v5.x) by [@&#8203;go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in [#&#8203;2111](https://redirect.github.com/go-git/go-git/pull/2111) - v5: git: Allow MkdirAll on worktree-root paths by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2117](https://redirect.github.com/go-git/go-git/pull/2117) - v5: git: Stop validating symlink target paths by [@&#8203;pjbgf](https://redirect.github.com/pjbgf) in [#&#8203;2116](https://redirect.github.com/go-git/go-git/pull/2116) - v5: plumbing: format decoder input bounds and contracts by [@&#8203;hiddeco](https://redirect.github.com/hiddeco) in [#&#8203;2125](https://redirect.github.com/go-git/go-git/pull/2125) - plumbing: format/packfile, cap delta chain depth in parser by [@&#8203;pjbgf](https://redirect.github.com/pjbgf) in [#&#8203;2137](https://redirect.github.com/go-git/go-git/pull/2137) **Full Changelog**: <go-git/go-git@v5.19.0...v5.19.1> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODYuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com>
1 parent dea06d4 commit 2aa0bee

2 files changed

Lines changed: 3 additions & 3 deletions

File tree

website/hack/generate-cli-docs/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ require (
134134
github.com/go-errors/errors v1.5.1 // indirect
135135
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
136136
github.com/go-git/go-billy/v5 v5.9.0 // indirect
137-
github.com/go-git/go-git/v5 v5.19.0 // indirect
137+
github.com/go-git/go-git/v5 v5.19.1 // indirect
138138
github.com/go-ini/ini v1.67.0 // indirect
139139
github.com/go-jose/go-jose/v4 v4.1.4 // indirect
140140
github.com/go-logr/logr v1.4.3 // indirect

website/hack/generate-cli-docs/go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -398,8 +398,8 @@ github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmm
398398
github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
399399
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
400400
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
401-
github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc=
402-
github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
401+
github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00=
402+
github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
403403
github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
404404
github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
405405
github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=

0 commit comments

Comments
 (0)