GHSA-wfm5-v35h-vwf4

Source

https://github.com/advisories/GHSA-wfm5-v35h-vwf4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-wfm5-v35h-vwf4/GHSA-wfm5-v35h-vwf4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wfm5-v35h-vwf4

Aliases

Published

2023-08-29T23:33:53Z

Modified

2024-09-20T20:25:07.668823Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

GitPython untrusted search path on Windows systems leading to arbitrary code execution

Details

Summary

When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH.

Details

This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.

The execution of the git command happens in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996

And there are other commands executed that should probably be aware of this problem.

PoC

On a Windows system, create a git.exe or git executable in any directory, and import or run GitPython from that directory

python -c "import git"

The git executable from the current directory will be run.

Impact

An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.

Possible solutions

Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE (default git path installation).
Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems.
Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path.
Resolve the executable manually by only looking into the PATH environment variable (suggested by @Byron)

[!NOTE] This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.

References

Affected packages

PyPI / gitpython

Package

Name: gitpython; View open source insights on deps.dev
Purl: pkg:pypi/gitpython

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.33

Affected versions

0.*

0.1.7

0.2.0-beta1

0.3.0-beta1

0.3.0-beta2

0.3.1-beta2

0.3.2.RC1

0.3.2

0.3.2.1

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

1.*

1.0.0

1.0.1

1.0.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9.dev0

2.0.9.dev1

2.0.9

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

3.1.29

3.1.30

3.1.31

3.1.32

Database specific

{
    "last_known_affected_version_range": "<= 3.1.32"
}