Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
25 Apr 2022
11 Mar 2022
Alessio Della Libera of Snyk Research Team
How to fix?
czproject/git-php to version 4.0.3 or higher.
czproject/git-php is a Library for work with Git repository in PHP.
Affected versions of this package are vulnerable to Command Injection via git argument injection. When calling the
isRemoteUrlReadable($url, array $refs = NULL) function, both the
refs parameters are passed to the
git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
<?php require('./vendor/autoload.php'); $git = new CzProject\GitPhp\Git; $url = "--upload-pack=touch ./HELLO"; $git->isRemoteUrlReadable($url, ["refs"]); ?>