Git: don't expand envvars in Gitpython #8263

stsewd · 2021-06-14T21:14:44Z

Gitpython expands envvars by default
We execute gitpython outside the containers.
Currently there isn't a way to exploit this vulnerability
(looks like gitpython is aware of this and may change the default
to false any time https://github.com/gitpython-developers/GitPython/blob/617c09e70bfd54af1c88b4d2c892b8d287747542/git/repo/base.py#L142-L143)
In some places we were executing git commands outside the container
(to get the commit), let's always use the current env (docker in
production).

- Gitpython expands envvars by default We execute gitpython outside the containers. Currently there isn't a way to exploit this vulnerability (looks like gitpython is aware of this and may change the default to false any time https://github.com/gitpython-developers/GitPython/blob/617c09e70bfd54af1c88b4d2c892b8d287747542/git/repo/base.py#L142-L143) - In some places we were executing git commands outside the container (to get the commit), let's always use the current env (docker in production).

stsewd requested a review from a team June 14, 2021 21:14

humitos approved these changes Jun 15, 2021

View reviewed changes

stsewd merged commit db0c0e2 into master Jun 15, 2021

stsewd deleted the dont-expand-env-vars-gitpython branch June 15, 2021 23:25

RuRo mentioned this pull request Jul 3, 2021

Custom LFS integration has broken unexpectedly #8288

Closed

RuRo mentioned this pull request Jul 12, 2021

don't export GIT_DIR #8318

Closed

stsewd mentioned this pull request Jul 13, 2021

Dont mutate env vars outside the BuildEnv classes #8340

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Git: don't expand envvars in Gitpython #8263

Git: don't expand envvars in Gitpython #8263

stsewd commented Jun 14, 2021

Git: don't expand envvars in Gitpython #8263

Git: don't expand envvars in Gitpython #8263

Conversation

stsewd commented Jun 14, 2021