Deps.rs

gix-ref 0.41.0

[![dependency status](https://deps.rs/crate/gix-ref/0.41.0/status.svg)](https://deps.rs/crate/gix-ref/0.41.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate gix-ref

Dependencies

(16 total, 6 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 document-features^0.2.10.2.10up to date
 gix-actor^0.30.00.31.5out of date
 gix-date^0.8.30.8.7up to date
 gix-features^0.38.00.38.2up to date
 gix-fs ⚠️^0.10.00.11.2out of date
 gix-hash^0.14.10.14.2up to date
 gix-lock^13.0.014.0.0out of date
 gix-object^0.41.00.42.3out of date
 gix-path ⚠️^0.10.40.10.9maybe insecure
 gix-tempfile^13.0.014.0.1out of date
 gix-utils^0.1.90.1.12up to date
 gix-validate^0.8.30.8.5up to date
 memmap2^0.9.00.9.4up to date
 serde^1.0.1141.0.204up to date
 thiserror^1.0.341.0.63up to date
 winnow^0.5.240.6.16out of date

Security Vulnerabilities

gix-fs: Traversal outside working tree enables arbitrary code execution

RUSTSEC-2024-0350

Summary

During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.

Details

Although gix-worktree-state checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs and gix-worktree prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git directory. The simplest cases are:

  • A tree named .. to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
  • A tree named .git to enter a .git directory. This facilitates arbitrary code execution because hooks can be installed.

A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:

  • A tree or blob whose name contains one or more /, to traverse upward or downward. For example, even without containing any tree named .. or .git, a repository can represent a file named ../outside or .git/hooks/pre-commit. This is distinct from the more intuitive case a repository containing trees that represent those paths.
  • In Windows, a tree or blob whose name contains one or more \, to traverse upward or downward. (Unlike /, these are valid on other systems.) See GHSA-xjx4-8694-q2fq.
  • On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of .git.
  • On HFS+, a tree named like .git or a case variant, with characters added that HFS+ ignores in collation. See https://github.com/git/git/commit/6162a1d323d24fd8cbbb1a6145a91fb849b2568f.
  • On NTFS, a tree equivalent to .git (or a case variant) by the use of NTFS stream notation, such as .git::$INDEX_ALLOCATION. See GHSA-5wph-8frv-58vj.
  • On an NTFS volume with 8.3 aliasing enabled, a tree named as git~1 (or a case variant). See GHSA-589j-mmg9-733v.

When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.

PoC

For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed supports -i, which is the case on most systems. If using Windows, a Git Bash shell should be used.

Example: Downward traversal to install hooks

  1. Create a new repository with git init dangerous-repo-installs-hook and cd into the directory.
  2. Create the stand-in called .git@hooks@pre-commit, with the contents: 
    #!/bin/sh
printf 'Vulnerable!\n'
date >vulnerable
  3. Stage the stand-in: git add --chmod=+x .git@hooks@pre-commit
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, on another or the same machine:

  1. Clone the repository with a gix clone … command.
  2. Enter the newly created directory.
  3. Optionally run ls -l .git/hooks to observe that the pre-commit hook is already present.
  4. Make a new file and commit it with git. This causes the payload surreptitiously installed as a pre-commit hook to run, printing the message Vulnerable! and creating a file in the current directory containing the current date and time.

Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit is capable of.

Example: Upward traversal to create a file above the working tree

  1. Create a new repository with git init dangerous-repo-reaches-up, and cd into the directory.
  2. Create the stand-in: echo 'A file outside the working tree, somehow.' >..@outside
  3. Stage the stand-in: git add ..@outside
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, as above, on the same or another machine, clone the repository with a gix clone … command. Observe that a file named outside is present alongside (not inside) the cloned directory.

Impact

Any use of gix or another application that makes use of gix-worktree-state, or otherwise relies on gix-fs and gix-worktree for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.

In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.

gix-path: gix-path can use a fake program files location

RUSTSEC-2024-0355

Summary

When looking for Git for Windows so it can run it to report its paths, gix-path can be tricked into running another git.exe placed in an untrusted location by a limited user account.

Details

Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While gix-path first looks for git using a PATH search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:

/// Other places to find Git in.
#[cfg(windows)]
pub(super) static ALTERNATIVE_LOCATIONS: &[&str] = &[
    "C:/Program Files/Git/mingw64/bin",
    "C:/Program Files (x86)/Git/mingw32/bin",
];

Existing functions, as well as the newly introduced exe_invocation function, were updated to make use of these alternative locations. This causes facilities in gix_path::env to directly execute git.exe in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it.

Although unusual setups where the system drive is not C:, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no C:\Program Files (x86) directory.

A limited user on a 32-bit Windows system can therefore create the C:\Program Files (x86) directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses gix-path and do not have git in a PATH directory.

(While having git found in a PATH search prevents exploitation, merely having it installed in the default location under the real C:\Program Files directory does not. This is because the first hard-coded path's mingw64 component assumes a 64-bit installation.)

PoC

On a 32-bit (x86) Windows 10 system, with or without Git for Windows installed:

  1. Create a limited user account in lusrmgr.msc or the Settings application.
  2. Log in with that account and, using Windows Explorer or the mkdir command in PowerShell, create the directories C:\Program Files (x86)\Git\mingw32\bin. Although a limited user account cannot create regular files directly in C:\, it can create directories including one called Program Files (x86).
  3. Place a copy of C:\Windows\system32\calc.exe in C:\Program Files (x86)\Git\mingw32\bin and rename it from calc.exe to git.exe. A different test payload may be used if preferred, and the executable need not already be signed or trusted.
  4. Log out, and log in as a different user. This user may be an administrator.
  5. If gitoxide is not installed, install it. If cargo install gitoxide is used for the installation, then the version of gix-path used in the installation can be observed.
  6. The vulnerability is only exploitable if git cannot be found in a PATH search. So, in PowerShell, run gcm git to check if git is present in the PATH. If so, temporarily remove it. One way to do this is for the current shell only, by running $env:PATH to inspect it and by assigning $env:PATH = '...' where ... omits directories that contain git.
  7. Some commands that can be run outside a repository, and most commands that can be run inside a repository, will run the Calculator or other payload at least once per invocation. Try gix clone foo or, inside of a repository, gix status, gix config, gix is-changed, gix fetch, ein t hours, or ein t query. This is not exhaustive; most other gix and ein commands that access existing repository state or a network resource likewise run the payload.

Impact

Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses gix-path and must not have git in its PATH.

The main exploitable configuration is one where Git for Windows has been installed but not added to PATH. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its PATH to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a PATH in which the real git.exe can be found, then this cannot be exploited.

This vulnerability is comparable to CVE-2022-24765, in which an uncontrolled path like C:\.git\config, which a limited user can create, could supply configuration used by other users. However, in this case, exploitation is slightly simpler because, rather than using configuration, an executable is directly run.