-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot alert: Command Injection due to insecure usage of the --upload-pack feature of git #15
Comments
I'm struggling to see how this is any more of a security vulnerability than a stdlib function like
One thing I've considered is a separate (as an aside, I think the "vulnerability" report is rather insidiously worded - |
Thanks @jaz303 for the quick reply. Sorry that my posting of this issue reflects a lack of understanding about the validity of the dependabot alert; it's a shame that this is being alerted when sensible usage of git-clone isn't a liability (at least based on my understanding of your reply). I'm happy for you to close/delete this issue. |
Please don't apologise, any frustration I feel is definitely not directed at yourself. I think I'll leave this issue open as I'm keen to hear others' opinions. |
I've read all of these.
|
Yes, I know. Perhaps you could provide this information in the readme, as git-promise did. |
I did:
|
Thanks for the information. I didn't see that warning, because I was too focused on |
Will we eventually remove that option out of this repository to remove that potential vulnerability. It shows as a Snyk High vuln. which is very annoying even if we do not use this option. Maybe create a new repo git-clone-unload-pack which adds in that extra feature, if people desire to use this risky option. |
No I will not be doing that. It's not a "risky option". |
I see that it is an inherited security vuln. from git-promise. Sorry and thanks for the quick reply above. |
Honestly why not create a bug with git itself?! It seems to me that some downstream users allow unfiltered arguments to be injected and they are just pointing fingers. This is not a security issue, indeed. |
Hi there, this package has been really helpful for my software! Just asking if there is there going to be an update to git-clone to deal with the following dependabot alert:
Affected versions <= 0.2.0
All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.
Side-note: my understanding is that this would be less of a concern for people using node-js for software on their computer, but a bigger issue for node-js on a server, is that a fair assessment?
The text was updated successfully, but these errors were encountered: