Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(checkout): throw error on malicious filepaths #1339

Merged
merged 1 commit into from Apr 12, 2021

Conversation

billiegoose
Copy link
Member

@billiegoose billiegoose commented Apr 12, 2021

I'm fixing a bug or typo

This is similar to GHSA-xjx4-8694-q2fq but for isomorphic-git. Thank you @Ry0taK for reporting it via email.

We now throw an UnsafeFilepathError when parsing malicious GitTrees or GitIndexes:

> isogit clone --url=https://github.com/wmhilton/CVE-2021-30483 --username=$GITHUB_TOKEN
The filepath "..\test" contains unsafe character sequences
{ UnsafeFilepathError: The filepath "..\test" contains unsafe character sequences
    at parseBuffer (C:\git\isomorphic-git\isomorphic-git\index.cjs:2014:13)
    at new GitTree (C:\git\isomorphic-git\isomorphic-git\index.cjs:2051:23)
    at Function.from (C:\git\isomorphic-git\isomorphic-git\index.cjs:2063:12)
    at resolveTree (C:\git\isomorphic-git\isomorphic-git\index.cjs:3714:26)
  caller: 'git.clone',
  name: 'UnsafeFilepathError',
  code: 'UnsafeFilepathError',
  data: { filepath: '..\\test' } }

@billiegoose billiegoose merged commit 1316820 into main Apr 12, 2021
3 checks passed
@billiegoose billiegoose deleted the fix-CVE-2021-30483 branch April 12, 2021 19:41
@isomorphic-git-bot
Copy link
Member

🎉 This PR is included in version 1.8.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants