-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of Service with chances of information leakage #220
Comments
I'm thinking following symlinks to files outside the repository (eg: /dev/null) should be disregarded (not scanned) should be avoided, but following symlinks within the repo should be okay. Any thoughts on that ? |
I also thought the same... but then... Symlinks inside repo which point to already committed(git added) file will lead to 1 file being scanned twice and symlinks itself cannot hold anything secret(unless somebody obfuscates secret as a path in symlink) And following symlinks in repo may create further chances of exploitation by symlink chaining (A->B->/dev/null) or even worse (Not sure if it is posssible) (A->B->A->B->A............) where both A and B are inside repo. 😅 |
Any update on this? This bug is equally serious.... Instead of Tried reporting something similiar on talisman-maintainers@thoughtworks.com .... Has anybody received that? |
Hi @dcRUSTy thanks for this bug and the mail you sent. We acknowledge and will triage the bug. |
…er for ioutil.ReadFile which skips following symlink
…er for ioutil.ReadFile which skips following symlink
…er for ioutil.ReadFile which skips following symlink
…er for ioutil.ReadFile which skips following symlink
…er for ioutil.ReadFile which skips following symlink
…er for ioutil.ReadFile which skips following symlink
…er for ioutil.ReadFile which skips following symlink
…er for ioutil.ReadFile which skips following symlink
Describe the bug
Talisman apparently follows symlinks while scanning. If a malicious git repository has symlink committed in one of the commits Say on
*nix - symlink to /dev/urandom (Infinite size file?) or /dev/random (super slow never ending file)
Windows - symlink to malicious remote SMB server
On *nix it will lead to atleast DoS as /dev/urandom is never ending?
On Windows User Credential leakage as Windows will try to login to remote SMB share with current user credentials then DoS also possible. These leaked credentials may open other portals of exploitation.
On windows it depends on value of core.symlinks in git config
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Should not follow symlink atleast outside of repo directory( or none at all?)
On *nix - Scan should complete in finite time
On Windows - Should not connect to remote server and should complete in finite time
Screenshots
![DoS_poc](https://user-images.githubusercontent.com/40319304/89704563-6a3b6d00-d972-11ea-8df6-bcb387d2bab9.PNG)
it will be stuck forever
Additional context
Also applicable to precommit hooks for .talismanrc file. Again these are worst cases, highlighting core problem SYMLINKS Couldn't test all the scenarios kind of short on computational power.
The text was updated successfully, but these errors were encountered: