-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2020-26222.yml
68 lines (57 loc) · 2.06 KB
/
CVE-2020-26222.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
---
gem: dependabot-common
cve: 2020-26222
ghsa: 23f7-99jx-m54r
url: https://github.com/dependabot/dependabot-core/security/advisories/GHSA-23f7-99jx-m54r
date: 2020-11-13
title: Remote code execution in dependabot-core branch names when cloning
description: |
### Impact
Remote code execution vulnerability in `dependabot-common` and
`dependabot-go_modules` when a source branch name contains malicious
injectable bash code.
For example, if Dependabot is configured to use the following source branch
name: `"/$({curl,127.0.0.1})"`, Dependabot will make a HTTP request to the
following URL: 127.0.0.1 when cloning the source repository.
When Dependabot is configured to clone the source repository during an update,
Dependabot runs a shell command to git clone the repository:
```bash
git clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path
```
Dependabot will always clone the source repository for `go_modules` during the
file fetching step and can be configured to clone the repository for other
package managers using the `FileFetcher` class from `dependabot-common`.
```ruby
source = Dependabot::Source.new(
provider: "github",
repo: "repo/name",
directory: "/",
branch: "/$({curl,127.0.0.1})",
)
repo_contents_path = "./file/path"
fetcher = Dependabot::FileFetchers.for_package_manager("bundler").
new(source: source, credentials: [],
repo_contents_path: repo_contents_path)
fetcher.clone_repo_contents
```
### Workarounds
Escape the branch name prior to passing it to the `Dependabot::Source` class.
For example using `shellwords`:
```ruby
require "shellwords"
branch = Shellwords.escape("/$({curl,127.0.0.1})")
source = Dependabot::Source.new(
provider: "github",
repo: "repo/name",
directory: "/",
branch: branch,
)
```
cvss_v3: 8.7
patched_versions:
- ">= 0.125.1"
unaffected_versions:
- "< 0.119.0.beta1"
related:
url:
- https://github.com/dependabot/dependabot-core/pull/2727