Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-PYTHON-GITPYTHON-3113858
- published 5 Dec 2022
- disclosed 13 Nov 2022
- credit Sam Wheating
How to fix?
GitPython to version 3.1.30 or higher.
GitPython is a python library used to interact with Git repositories
Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments. This is only relevant when enabling the
ext transport protocol.
from git import Repo r = Repo.init('', bare=True) r.clone_from('ext::sh -c touch% /tmp/pwned', 'tmp', multi_options=["-c protocol.ext.allow=always"])