GHSA-23f7-99jx-m54r

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-23f7-99jx-m54r/GHSA-23f7-99jx-m54r.json
Aliases
  • CVE-2020-26222
Published
2020-11-13T15:47:50Z
Modified
2023-05-16T16:16:36.014755Z
Details

Impact

Remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code.

For example, if Dependabot is configured to use the following source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.

When Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:

git clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path

Dependabot will always clone the source repository for go_modules during the file fetching step and can be configured to clone the repository for other package managers using the FileFetcher class from dependabot-common.

source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: "/$({curl,127.0.0.1})",
)

repo_contents_path = "./file/path"
fetcher = Dependabot::FileFetchers.for_package_manager("bundler").
                  new(source: source, credentials: [],
                  repo_contents_path: repo_contents_path)
fetcher.clone_repo_contents

Patches

The fix was applied to version 0.125.1: https://github.com/dependabot/dependabot-core/pull/2727

Workarounds

Escape the branch name prior to passing it to the Dependabot::Source class.

For example using shellwords:

require "shellwords"
branch = Shellwords.escape("/$({curl,127.0.0.1})")
source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: branch,
)
References

Affected packages

RubyGems / dependabot-omnibus

dependabot-omnibus

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.119.0.beta1
Fixed
0.125.1

Affected versions

0.*

0.119.0
0.119.0.beta1
0.119.1
0.119.2
0.119.3
0.119.4
0.119.5
0.119.6
0.120.0
0.120.1
0.120.2
0.120.3
0.120.4
0.120.5
0.121.0
0.121.1
0.122.0
0.122.1
0.123.0
0.123.1
0.124.0
0.124.1
0.124.2
0.124.3
0.124.4
0.124.5
0.124.6
0.124.7
0.124.8
0.125.0

RubyGems / dependabot-common

dependabot-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.119.0.beta1
Fixed
0.125.1

Affected versions

0.*

0.119.0
0.119.0.beta1
0.119.1
0.119.2
0.119.3
0.119.4
0.119.5
0.119.6
0.120.0
0.120.1
0.120.2
0.120.3
0.120.4
0.120.5
0.121.0
0.121.1
0.122.0
0.122.1
0.123.0
0.123.1
0.124.0
0.124.1
0.124.2
0.124.3
0.124.4
0.124.5
0.124.6
0.124.7
0.124.8
0.125.0