Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Alias command injection #306

Merged
merged 4 commits into from
Mar 12, 2022
Merged

Alias command injection #306

merged 4 commits into from
Mar 12, 2022

Conversation

tony
Copy link
Member

@tony tony commented Mar 12, 2022
edited
Loading 

create_repo(
   url="--config=alias.clone=!touch ./HELLO", vcs="hg", repo_dir="./"
)

Credit: Alessio Della Libera alessio.dellalibera@snyk.io via Snyk

@codecov
Copy link

codecov bot commented Mar 12, 2022
edited
Loading

Codecov Report

Merging #306 (66640ae) into master (96d2ada) will increase coverage by 0.13%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #306      +/-   ##
==========================================
+ Coverage   86.41%   86.55%   +0.13%     
==========================================
  Files          15       15              
  Lines         810      818       +8     
==========================================
+ Hits          700      708       +8     
  Misses        110      110
Impacted Files Coverage Δ
libvcs/hg.py 100.00% <100.00%> (ø)
tests/test_hg.py 97.56% <100.00%> (+0.59%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 96d2ada...66640ae. Read the comment docs.

tony added 3 commits March 12, 2022 09:55
@tony
tests(hg): Check for URL command injection vuln
c8a2ca6
@tony
fix(hg): Command injection vulnerability in URLs via alias
3f4e93e 
> create_repo(
>    url="--config=alias.clone=!touch ./HELLO", vcs="hg", repo_dir="./"
> )

Credit: Alessio Della Libera <alessio.dellalibera@snyk.io> via Snyk
@tony
docs(CHANGES): Note vulnerability fix
66640ae
@tony tony merged commit 7179656 into master Mar 12, 2022
tony added a commit to vcs-python/vcspull that referenced this pull request Mar 12, 2022
@tony
build(deps): Bump libvcs 0.11.0 -> 0.11.1 for hg URL vuln
e1b7712 
See also:
- https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES#libvcs-0111-2022-03-12
- vcs-python/libvcs#306
@tony tony deleted the hg-vuln branch March 15, 2022 03:05
@tony tony restored the hg-vuln branch April 2, 2022 11:12
@tony tony deleted the hg-vuln branch April 2, 2022 11:12
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tony