Deps.rs

gix-worktree-stream 0.9.0

[![dependency status](https://deps.rs/crate/gix-worktree-stream/0.9.0/status.svg)](https://deps.rs/crate/gix-worktree-stream/0.9.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate gix-worktree-stream

Dependencies

(10 total, 4 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 gix-attributes^0.22.00.22.5up to date
 gix-features^0.38.00.38.2up to date
 gix-filter^0.9.00.13.0out of date
 gix-fs ⚠️^0.10.00.11.3out of date
 gix-hash^0.14.10.14.2up to date
 gix-object^0.41.00.44.0out of date
 gix-path ⚠️^0.10.40.10.11maybe insecure
 gix-traverse^0.37.00.41.0out of date
 parking_lot^0.12.10.12.3up to date
 thiserror^1.0.261.0.63up to date

Security Vulnerabilities

gix-fs: Traversal outside working tree enables arbitrary code execution

RUSTSEC-2024-0350

Summary

During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.

Details

Although gix-worktree-state checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs and gix-worktree prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git directory. The simplest cases are:

  • A tree named .. to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
  • A tree named .git to enter a .git directory. This facilitates arbitrary code execution because hooks can be installed.

A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:

  • A tree or blob whose name contains one or more /, to traverse upward or downward. For example, even without containing any tree named .. or .git, a repository can represent a file named ../outside or .git/hooks/pre-commit. This is distinct from the more intuitive case a repository containing trees that represent those paths.
  • In Windows, a tree or blob whose name contains one or more \, to traverse upward or downward. (Unlike /, these are valid on other systems.) See GHSA-xjx4-8694-q2fq.
  • On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of .git.
  • On HFS+, a tree named like .git or a case variant, with characters added that HFS+ ignores in collation. See https://github.com/git/git/commit/6162a1d323d24fd8cbbb1a6145a91fb849b2568f.
  • On NTFS, a tree equivalent to .git (or a case variant) by the use of NTFS stream notation, such as .git::$INDEX_ALLOCATION. See GHSA-5wph-8frv-58vj.
  • On an NTFS volume with 8.3 aliasing enabled, a tree named as git~1 (or a case variant). See GHSA-589j-mmg9-733v.

When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.

PoC

For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed supports -i, which is the case on most systems. If using Windows, a Git Bash shell should be used.

Example: Downward traversal to install hooks

  1. Create a new repository with git init dangerous-repo-installs-hook and cd into the directory.
  2. Create the stand-in called .git@hooks@pre-commit, with the contents: 
    #!/bin/sh
printf 'Vulnerable!\n'
date >vulnerable
  3. Stage the stand-in: git add --chmod=+x .git@hooks@pre-commit
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, on another or the same machine:

  1. Clone the repository with a gix clone … command.
  2. Enter the newly created directory.
  3. Optionally run ls -l .git/hooks to observe that the pre-commit hook is already present.
  4. Make a new file and commit it with git. This causes the payload surreptitiously installed as a pre-commit hook to run, printing the message Vulnerable! and creating a file in the current directory containing the current date and time.

Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit is capable of.

Example: Upward traversal to create a file above the working tree

  1. Create a new repository with git init dangerous-repo-reaches-up, and cd into the directory.
  2. Create the stand-in: echo 'A file outside the working tree, somehow.' >..@outside
  3. Stage the stand-in: git add ..@outside
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, as above, on the same or another machine, clone the repository with a gix clone … command. Observe that a file named outside is present alongside (not inside) the cloned directory.

Impact

Any use of gix or another application that makes use of gix-worktree-state, or otherwise relies on gix-fs and gix-worktree for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.

In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.

gix-path: gix-path uses local config across repos when it is the highest scope

RUSTSEC-2024-0367

Summary

gix-path executes git to find the path of a configuration file that belongs to the git installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repository's remote.

Details

In gix_path::env, the underlying implementation of the installation_config and installation_config_prefix functions calls git config -l --show-origin and parses the first line of the output to extract the path to the configuration file holding the configuration variable of highest scope:

https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L91

https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L112

While the configuration variable of highest scope is not usually in the local scope, there are practical situations where this occurs:

  • A configuration file truly associated with the installation is not present on all systems and can occasionally be empty. Likewise, there may be no variables in the global scope.
  • Configuration files associated with those higher scopes may be deliberately skipped by setting the GIT_CONFIG_SYSTEM and GIT_CONFIG_GLOBAL environment variables to /dev/null (or to NUL on Windows). This prevents gix-path from finding the path of configuration files for those scopes, while not preventing downstream components such as the function in gix-config from reporting a local path as being associated with the installation.
  • The GIT_CONFIG_NOSYSTEM environment variable can be used to disable configuration associated with the installation. (GIT_CONFIG_NOSYSTEM=1 is more powerful than GIT_CONFIG_SYSTEM=/dev/null on systems where an additional "unknown" scope is associated with the installation, as occurs on macOS with Apple Git.) This will cause the local scope to be the highest nonempty scope under even more situations, though in practice it is less dangerous because most, though possibly not all, downstream components would disregard the value.

A user may use either or both of the latter two techniques to turn off an undesired configuration or to create a more replicable environment. Such a user would expect that this results in a more controlled configuration.

Often, when located inside one repository, a user performs operations on that repository or that are not specific to any repository. In such use, local configuration is typically desired or at least acceptable, and mistaking it as coming from another scope is not typically harmful.

However, sometimes a user is in one repository and operates on another repository. A major case where this occurs is cloning one repository while located in another. This can be done in an ad-hoc fashion, including when cloning the repository outside of the one we are inside. It may also potentially be automated by an application for purposes such as submodule handling. Two kinds of problems are anticipated:

  • A less secure configuration may be set for a specific repository where it is judged acceptable, even though it would not be wanted for other repositories, such as to enable a protocol or set up debugging.
  • More likely, a configuration that supplies secrets for use in one repository's remote can be used to send those secrets to another repository's remote.

PoC

In this example, we send mock Authorization: Basic ... credentials meant for one repository's remote to another remote, by running gix while inside the first repository to clone the second repository.

These instructions are written for a Unix shell, but they will work in other shells, including in PowerShell on Windows if the method of setting environment variables is adapted and /dev/null is replaced with NUL. This procedure is likely to demonstrate the problem on all systems except macOS. This is due to the high-scoped "unknown" configuration that usually accompanies Apple Git, and reflects that gix-path is in practice much less vulnerable on macOS (though still potentially vulnerable).

  1. Install dummyhttp to serve as a local HTTP server for the demonstration.

  2. Obtain a build of gitoxide with the max feature set enabled. While this vulnerability affects other builds, this example requires max for http.extraHeader support.

    Running cargo install gitoxide will install such a build though it may build against a patched version of gix-path. Cloning the repository (12251eb and earlier are affected) and building with cargo build or cargo install --path . are also sufficient. In contrast, installing from published binaries with binstall or quickinstall does not provide the max feature, as of this writing.

  3. Run: dummyhttp -i 127.0.0.1 -c 403 -v

  4. In a separate terminal, create a new local repository and set up a mock remote and http.extraHeader configuration:

    git init myrepo
cd myrepo
git remote add origin http://127.0.0.1:8080/mygit.git
git config --local http.extraHeader 'Authorization: Basic abcde'

  5. Make sure the testing setup is working by running gix fetch in the repository and checking that it fails in the expected way. In the terminal where that is run, a message should be shown indicating an HTTP 403 error. The more interesting output is in the terminal where dummyhttp is running, which should look like this:

    2024-30-30 03:30:16 127.0.0.1:55689 GET /myrepo.git/info/refs?service=git-upload-pack HTTP/1.1
┌─Incoming request
│ GET /myrepo.git/info/refs?service=git-upload-pack HTTP/1.1
│ Accept: */*
│ Authorization: Basic abcde
│ Git-Protocol: version=2
│ Host: 127.0.0.1:8080
│ User-Agent: git/oxide-0.42.2
┌─Outgoing response
│ HTTP/1.1 403 Forbidden
│ Content-Length: 9
│ Content-Type: text/plain; charset=utf-8
│ Date: Fri, 30 Aug 2024 03:30:16 -0400

    Some details may differ, especially dates and times. But Authorization: Basic abcde should be shown.

  6. Now, in the terminal where you ran gix fetch, try cloning a separate repository:

    gix clone http://127.0.0.1:8080/other.git

    Check the output appended in the terminal where dummyhttp is running. This is to observe that Authorization: Basic abcde was rightly not sent.

    Alternatively, if it does appear, then your system may be in one of the uncommon configurations that is vulnerable without further action.

  7. Now rerun that command, but with a modified environment, to cause gix-path to wrongly treat configuration from the local scope as being associated with the git installation:

    env GIT_CONFIG_SYSTEM=/dev/null GIT_CONFIG_GLOBAL=/dev/null gix clone http://127.0.0.1:8080/other.git

    Check the output appended in the terminal where dummyhttp is running. Observe that Authorization: Basic abcde was wrongly sent.

While this procedure uses the same remote host for both repositories, this is not a required element. If the second repository had a different, untrusted host, the extra header would still be sent.

Impact

It is believed to be very difficult to exploit this vulnerability deliberately, due to the need either to anticipate a situation in which higher-scoped configuration variables would be absent, or to arrange for this to happen. Although any operating system may be affected, users running Apple Git on macOS are much less likely to be affected.

In the example shown above, more secure general practices would avoid it: using a credential manager, or even using http.<url>.extraHeader with as specific a <url> as possible, rather than the more general http.extraHeader. Many scenarios are analogous: if each repository's configuration is as secure as possible for how the repository is used, and secrets are stored securely and separately, then the circumstances under which an unacceptably unsecure configuration is used, or under which a leak of credentials would occur, become unlikely.