New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security risk with untrusted repositories (CVE-2022-42906) #45
Comments
|
The issue is identical to the one identified for the fish shell: |
jcharaoui
added a commit
that referenced
this issue
Oct 9, 2022
This is a mitigation for #45 and is the same method that was implemented by the fish shell maintainers in fish-shell/fish-shell#8589
|
Related PR: #46 |
|
A CVE number has been assigned for this bug: CVE-2022-42906 |
|
Fixed in v1.3.2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When
powerline-gitstatusis enabled on the shell and a malicious repository is cloned on the system, simply entering the directory can lead to the execution of arbitrary commands. This risk is documented here: https://blog.sonarsource.com/securing-developer-tools-git-integrations/We should implement the notion of trusted directories for this plugin, so that
git status& friends are only executed known-good locations, as opposed to any location on any filesystem.The text was updated successfully, but these errors were encountered: