Skip to content

Commit 2040de6

Browse files
steveukxsteveukx
committed
Prevent use of --upload-pack as a command in git.clone to avoid potential accidental command execution.
1 parent 9bf9baa commit 2040de6

3 files changed

Lines changed: 51 additions & 16 deletions

File tree

.changeset/wicked-files-vanish.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"simple-git": minor
3+
---
4+
5+
Resolves potential command injection vulnerability by preventing use of `--upload-pack` in `git.clone`

simple-git/src/lib/tasks/clone.ts

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,9 @@
1-
import { straightThroughStringTask } from './task';
1+
import { configurationErrorTask, EmptyTask, straightThroughStringTask } from './task';
22
import { OptionFlags, Options, StringTask } from '../types';
3-
import { append } from '../utils';
3+
import { append, filterString } from '../utils';
44

55
export type CloneOptions = Options &
6-
OptionFlags<
7-
'--bare' |
6+
OptionFlags<'--bare' |
87
'--dissociate' |
98
'--mirror' |
109
'--no-checkout' |
@@ -15,25 +14,30 @@ export type CloneOptions = Options &
1514
'--remote-submodules' |
1615
'--single-branch' |
1716
'--shallow-submodules' |
18-
'--verbose'
19-
> &
17+
'--verbose'> &
2018
OptionFlags<'--depth' | '-j' | '--jobs', number> &
2119
OptionFlags<'--branch' | '--origin' | '--recurse-submodules' | '--separate-git-dir' | '--shallow-exclude' | '--shallow-since' | '--template', string>
2220

23-
export function cloneTask(repo: string | undefined, directory: string | undefined, customArgs: string[]): StringTask<string> {
21+
function disallowedCommand(command: string) {
22+
return /^--upload-pack(=|$)/.test(command);
23+
}
24+
25+
export function cloneTask(repo: string | undefined, directory: string | undefined, customArgs: string[]): StringTask<string> | EmptyTask {
2426
const commands = ['clone', ...customArgs];
25-
if (typeof repo === 'string') {
26-
commands.push(repo);
27-
}
28-
if (typeof directory === 'string') {
29-
commands.push(directory);
27+
28+
filterString(repo) && commands.push(repo);
29+
filterString(directory) && commands.push(directory);
30+
31+
const banned = commands.find(disallowedCommand);
32+
if (banned) {
33+
return configurationErrorTask(`git.fetch: potential exploit argument blocked.`);
3034
}
3135

3236
return straightThroughStringTask(commands);
3337
}
3438

35-
export function cloneMirrorTask(repo: string | undefined, directory: string | undefined, customArgs: string[]): StringTask<string> {
36-
append(customArgs,'--mirror');
39+
export function cloneMirrorTask(repo: string | undefined, directory: string | undefined, customArgs: string[]) {
40+
append(customArgs, '--mirror');
3741

3842
return cloneTask(repo, directory, customArgs);
3943
}

simple-git/test/unit/clone.spec.ts

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
1+
import { promiseError } from '@kwsites/promise-result';
12
import { SimpleGit, TaskOptions } from 'typings';
2-
import { assertExecutedCommands, closeWithSuccess, newSimpleGit } from './__fixtures__';
3+
import { assertExecutedCommands, assertGitError, closeWithSuccess, newSimpleGit } from './__fixtures__';
34

45
describe('clone', () => {
56
let git: SimpleGit;
@@ -15,7 +16,7 @@ describe('clone', () => {
1516

1617
beforeEach(() => git = newSimpleGit());
1718

18-
it.each(cloneTests)('callbacks - %s %s', async (api, name, cloneArgs, executedCommands)=> {
19+
it.each(cloneTests)('callbacks - %s %s', async (api, name, cloneArgs, executedCommands) => {
1920
const callback = jest.fn();
2021
const queue = (git[api] as any)(...cloneArgs, callback);
2122
await closeWithSuccess(name);
@@ -32,5 +33,30 @@ describe('clone', () => {
3233
expect(await queue).toBe(name);
3334
assertExecutedCommands(...executedCommands);
3435
});
36+
37+
describe('failures', () => {
38+
39+
it('disallows upload-pack as remote/branch', async () => {
40+
const error = await promiseError(git.clone('origin', '--upload-pack=touch ./foo'));
41+
42+
assertGitError(error, 'potential exploit argument blocked');
43+
});
44+
45+
it('disallows upload-pack as varargs', async () => {
46+
const error = await promiseError(git.clone('origin', 'main', {
47+
'--upload-pack': 'touch ./foo'
48+
}));
49+
50+
assertGitError(error, 'potential exploit argument blocked');
51+
});
52+
53+
it('disallows upload-pack as varargs', async () => {
54+
const error = await promiseError(git.clone('origin', 'main', [
55+
'--upload-pack', 'touch ./foo'
56+
]));
57+
58+
assertGitError(error, 'potential exploit argument blocked');
59+
});
60+
});
3561
});
3662

0 commit comments

Comments
 (0)