-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote Code Execution? #216
Comments
@dcRUSTy very interesting. Thank you for raising this.
The above threat could be true if an attacker pushed a malicious exe to a repo which you would scan on your pipeline/machine. The malicious exe could therefore get access to perform actions on the CI server/dev machine.
The above threat could take effect if you tried pushing/committing an exe, and it ends up executing on your own machine. Which can be an unintentional attack though. It may not be malicious, but it could still cause a problem if it ends up getting executing. Sounds right? |
Yes... |
So the attack vector in case 2 is someone committing a malicious code in order to root/exploit/render-unusable the machine on which development for a repo is taking place ? |
Yes. |
I wonder if all hooking tools suffer from this problem ? Can this be considered acceptable risk for any project that employs git-hooks in Windows development environments ? |
but what about talisman --scan that functionality is without git-hooks? |
That we will definitely fix. CI will be rendered broken because of it. |
Don't know.... but doesn't sounds good |
On a Windows developer machine where the current working directory is also part of the lookup paths used by the default shell which in this case happens to be If a developer tried to commit something in said repo (that has the malicious This is why I don't see how this problem can be solved reasonably for the end developer use case. |
Not the case when dev uses IDE (tried with VS Code/IntelliJ) these IDE's don't use git binary from repo |
One of the ways to fix this issue is to use a fixed location to load the git binary. @dineshba suggested an interesting alternative, ie. use a native go-git library instead of invoking the OS binary. We will address this issue ASAP. Thanks for using talisman and reporting this problem @dcRUSTy ! |
How about a check in precommit hook script to ignore git (and curl binary) in the repo.. Not sure but update functionality looks another candidate for this vulnerability as well |
+1 for git library but is a major rework ... was about to point the same in the next bug report where git.exe output was not formatted properly and leads to command manipulation |
The use of `exec` here seems to be to test that go-git is actually feature
compatible with official git cli.
But like you may already be thinking, go-git is vulnerable to remote-code
execution the kind of test environment you have created for talisman.
…--
*Suhas Vishwanath**Developer**[image: ThoughtWorks]
<http://www.thoughtworks.com/>*
<http://www.thoughtworks.com/>
On Thu, Aug 6, 2020 at 5:47 PM dcRUSTy ***@***.***> wrote:
https://github.com/go-git/go-git/search?q=exec&unscoped_q=exec although
the results of this search doesn't looks promising
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#216 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AENRYT3XDDZCPK2SIMTH7JDR7KNL3ANCNFSM4PVIRKZA>
.
|
Thanks for the input @dcRUSTy . We will take care of all windows executables |
…able in windows OS
…able in windows OS
…able in windows OS
@dcRUSTy We tested and released a fix for checked in git.exe on windows. Please update to the latest release and let us know if it works for you. |
@svishwanath-tw Looks good to me.. Thanks team 👍 |
…able in windows OS (thoughtworks#219)
Describe the bug
Scan a repo with a malicious git.exe in its root. Talisman executes that malicious git.exe binary while scanning on Windows.
To Reproduce
Steps to reproduce the behavior:
or
or
Expected behavior
It should not execute malicious git.exe from repo which it is scanning
Screenshots
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: