Security: Command Injection Vulnerability in Repository Processing #1
Description
Security Vulnerability Report
A command injection vulnerability has been identified in the repository processing functions. This vulnerability allows potential execution of arbitrary shell commands through maliciously crafted repository URLs.
Vulnerability Details
- Type: Command Injection (OWASP Reference)
- Location: Repository processing functions in src/main.py
- Impact: High - Allows arbitrary command execution
- Trigger: Maliciously crafted repository URLs that pass the basic validation
Technical Description
The vulnerability exists because repository URLs are directly interpolated into shell commands with minimal validation. While there is a check for URLs starting with 'https://github.com/', this is insufficient to prevent command injection.
Example of Vulnerable Code
proc = await asyncio.create_subprocess_shell(
f"git clone --depth=1 {repo_url} ../tmp/{id}",
stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.PIPE,
)Fix Available
A patch has been created that:
- Replaces shell-based command execution with
create_subprocess_exec - Uses argument arrays instead of string interpolation
- Improves input validation
The patch is available and can be provided upon request.
References
- Originally identified in this Reddit thread
- OWASP Command Injection
Next Steps
- Please acknowledge receipt of this security report
- We can provide the patch file with the fix
- We recommend applying the fix as soon as possible to prevent potential exploitation
Disclosure Timeline
- Found: 2024-11-29
- Reported: 2024-11-29
Devin run link: https://preview.devin.ai/devin/f88e1245c3894b6eafb87c659757863b