GHSA-23f7-99jx-m54r

Suggest an improvement
Source
https://github.com/advisories/GHSA-23f7-99jx-m54r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-23f7-99jx-m54r/GHSA-23f7-99jx-m54r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-23f7-99jx-m54r
Aliases
Related
Published
2020-11-13T15:47:50Z
Modified
2024-02-16T08:22:23.928013Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Remote code execution in dependabot-core branch names when cloning
Details

Impact

Remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code.

For example, if Dependabot is configured to use the following source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.

When Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:

git clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path

Dependabot will always clone the source repository for go_modules during the file fetching step and can be configured to clone the repository for other package managers using the FileFetcher class from dependabot-common.

source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: "/$({curl,127.0.0.1})",
)

repo_contents_path = "./file/path"
fetcher = Dependabot::FileFetchers.for_package_manager("bundler").
                  new(source: source, credentials: [],
                  repo_contents_path: repo_contents_path)
fetcher.clone_repo_contents

Patches

The fix was applied to version 0.125.1: https://github.com/dependabot/dependabot-core/pull/2727

Workarounds

Escape the branch name prior to passing it to the Dependabot::Source class.

For example using shellwords:

require "shellwords"
branch = Shellwords.escape("/$({curl,127.0.0.1})")
source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: branch,
)
Database specific 
{
    "nvd_published_at": "2020-11-13T16:15:18Z",
    "severity": "HIGH",
    "github_reviewed_at": "2020-11-13T15:47:18Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74"
    ]
}
References

Affected packages

RubyGems / dependabot-omnibus

Package

Name
dependabot-omnibus
Purl
pkg:gem/dependabot-omnibus

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.119.0.beta1
Fixed
0.125.1

Affected versions

0.*

0.119.0.beta1
0.119.0
0.119.1
0.119.2
0.119.3
0.119.4
0.119.5
0.119.6
0.120.0
0.120.1
0.120.2
0.120.3
0.120.4
0.120.5
0.121.0
0.121.1
0.122.0
0.122.1
0.123.0
0.123.1
0.124.0
0.124.1
0.124.2
0.124.3
0.124.4
0.124.5
0.124.6
0.124.7
0.124.8
0.125.0

RubyGems / dependabot-common

Package

Name
dependabot-common
Purl
pkg:gem/dependabot-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.119.0.beta1
Fixed
0.125.1

Affected versions

0.*

0.119.0.beta1
0.119.0
0.119.1
0.119.2
0.119.3
0.119.4
0.119.5
0.119.6
0.120.0
0.120.1
0.120.2
0.120.3
0.120.4
0.120.5
0.121.0
0.121.1
0.122.0
0.122.1
0.123.0
0.123.1
0.124.0
0.124.1
0.124.2
0.124.3
0.124.4
0.124.5
0.124.6
0.124.7
0.124.8
0.125.0