Commit 8ca305b
authored
fix(server): reject code-executing git transports in the repo remote route (#126)
POST /api/repo/remote passed the remote url straight to
git remote add/set-url origin <url> in an attacker-chosen directory. Git's
ext::/fake:: helper transports run shell commands, and a leading '-' allows
argument injection — so an allowed-origin page could set the origin to
ext::sh -c '...' and a later push/fetch would execute it.
Validate the url (assertSafeRemoteUrl: only http(s)/ssh/git@ schemes; reject
ext::/fake:: and leading '-'), and harden the git spawn env with
protocol.ext.allow=never / protocol.fake.allow=never as defense in depth. (#4)1 parent be5573c commit 8ca305b
2 files changed
Lines changed: 58 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
26 | 38 | | |
27 | 39 | | |
28 | 40 | | |
29 | 41 | | |
30 | 42 | | |
31 | | - | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
32 | 54 | | |
33 | 55 | | |
34 | 56 | | |
| |||
165 | 187 | | |
166 | 188 | | |
167 | 189 | | |
168 | | - | |
169 | | - | |
| 190 | + | |
170 | 191 | | |
171 | 192 | | |
172 | 193 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
0 commit comments