GHSA-57q7-rxqq-7vgp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-57q7-rxqq-7vgp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-57q7-rxqq-7vgp/GHSA-57q7-rxqq-7vgp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-57q7-rxqq-7vgp
- Aliases
- Published
- 2022-02-15T01:57:18Z
- Modified
- 2024-08-21T15:42:04.991517Z
- Summary
- On Windows, `git-sizer` might run a `git` executable within the repository being analyzed
- Details
-
Impact
On Windows, if
git-sizeris run against a non-bare repository, and that repository has an executable calledgit.exe,git.bat, etc., then that executable might be run bygit-sizerrather than the systemgitexecutable. An attacker could try to use social engineering to get a victim to rungit-sizeragainst a hostile repository and thereby get the victim to run arbitrary code.On Linux or other Unix-derived platforms, a similar problem could occur if the user's
PATHhas the current directory before the path to the standardgitexecutable, but this is would be a very unusual configuration that has been known for decades to lead to all kinds of security problems.Patches
Users should update to git-sizer v1.4.0
Workarounds
If you are on Windows, then either * Don't run
git-sizeragainst a repository that might contain hostile code, or, if you must… * Rungit-sizeragainst a bare clone of the hostile repository, or, if that is not possible… * Make sure that the hostile repository doesn't have an executable in its top-level directory before runninggit-sizer.If you are on Linux or other Unix-based system, then (for myriad reasons!) don't add the current directory to your
PATH.References
For more information
If you have any questions or comments about this advisory: * Open an issue in the
git-sizerproject. * Email us at GitHub support. - Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-05-18T21:39:10Z" }- References
Affected packages
Go / github.com/github/git-sizer
Package
- Name
- github.com/github/git-sizer
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/github/git-sizer