Synopsis:
python-GitPython security updateSummary:
An update for python-GitPython is now available for openEuler-24.03-LTSDescription:
GitPython is a python library used to interact with git repositories, high-level like git-porcelain, or low-level like git-plumbing.
Security Fix(es):
GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False.
GitPython explicitly treats helper-command options as unsafe because they can be used to execute arbitrary commands:
git/repo/base.py:145-153 marks clone options such as --upload-pack, -u, --config, and -c as unsafe.git/remote.py:535-548 marks fetch/pull/push options such as --upload-pack, --receive-pack, and --exec as unsafe.The vulnerable API paths check the raw kwarg names before they're its normalized into command-line flags:
Repo.clone_from() checks list(kwargs.keys()) in git/repo/base.py:1387-1390Remote.fetch() checks list(kwargs.keys()) in git/remote.py:1070-1071Remote.pull() checks list(kwargs.keys()) in git/remote.py:1124-1125Remote.push() checks list(kwargs.keys()) in git/remote.py:1197-1198That validation is performed by Git.check_unsafe_options() in git/cmd.py:948-961. The validator correctly blocks option names such as upload-pack, receive-pack, and exec.
Later, GitPython converts Python kwargs into Git command-line flags in Git.transform_kwarg() at git/cmd.py:1471-1484. During that step, underscore-form kwargs are dashified:
upload_pack=... becomes --upload-pack=...receive_pack=... becomes --receive-pack=...Because the...
3.1.49-1.oe24033.1.49-1.oe24033.1.49-1.oe2403Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:H8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H