PR#5483: fix: _update_file_in_git() follows symbolic links in temporary clones - pagure - Pagure.io

pagure

#5483 fix: _update_file_in_git() follows symbolic links in temporary clones

Merged 11 months ago by wombelix. Opened 11 months ago by wombelix.

wombelix/pagure fix_security_issue_rhbz2280725_rhbz2278745_follow_symlink into master

fix: _update_file_in_git() follows symbolic links in temporary clones

Dominik Wombacher • 11 months ago

2803a7a

pagure/lib/git.py

file modified

+9 -1

		`@@ -1142,7 +1142,15 @@`

		`new_repo.checkout("refs/heads/%s" % branch)`

		`- file_path = os.path.join(newpath, filename)`
		`+ # Resolve path to identify path traversal and symlinks`
		`+ file_path = os.path.realpath(os.path.join(newpath, filename))`
		`+ # Bail out of file path is outside temp repo or inside the .git/ folder`
		`+ # Avoids data leak and unauthorized changes in files or git config.`
		`+ if (`
		`+ not file_path.startswith(newpath)`
		`+ or os.path.join(newpath, ".git") in file_path`
		`+ ):`
		`+ return`

		`# Get the current index`
		`index = new_repo.index`

wombelix commented 11 months ago

Bail out if file path is outside the temp repo or inside the '.git/' folder.
This avoids data leak and unauthorized changes in files or git config.

Vulnerability discovered by Thomas Chauchefoin thomas@chauchefoin.fr

Fixes: rhbz#2278745, rhbz#2280725, rhbz#2280723, CVE-2024-4981

Signed-off-by: Dominik Wombacher dominik@wombacher.cc

Metadata Update from @wombelix:
- Request assigned

11 months ago

wombelix commented 11 months ago

Patch reviewed and validated in Bugzilla. Tests performed locally, all passed.

rebased onto 2803a7a

11 months ago

Pull-Request has been merged by wombelix

11 months ago

Metadata

Assignee

Tags

No Tags

Changes Summary 1

file changed

pagure/lib/git.py

Powered by Pagure 5.14.1

Documentation • File an Issue • About • SSH Hostkey/Fingerprint

© Red Hat, Inc. and others.