Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security concern #9

Closed
JamieSlome opened this issue Apr 17, 2022 · 9 comments
Closed

Security concern #9

JamieSlome opened this issue Apr 17, 2022 · 9 comments

Comments

@JamieSlome
Copy link

Hey there!

I belong to an open source security research community, and a member (@lirantal) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)
@yarkeev
Copy link
Owner

yarkeev commented Apr 21, 2022

Hey @JamieSlome!
I added the SECURITY.md file, and also looked at the report about the potential vulnerability.
The git-interface package itself does not have a CLI, it is a wrapper over git, and its use involves only programmatic connection.
Therefore, I think that if processing of such cases is added, then this should be done where user input takes place.
Everything that git allows you to do - everything should allow you to do git-interface.

@JamieSlome
Copy link
Author

@yarkeev - thanks for your response 👍 Just for reference, the report can be found directly here:
https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1/

@lirantal - any thoughts on the above?

@lirantal
Copy link

Thanks for looking into it @yarkeev, and great update on the SECURITY.md file 👏🏽

I'm not sure why the reference or mention of a CLI related issue, because the report is about the API usage of git-interface as a library consumer (i.e: git.clone(arg1, arg2)). I understand why you'd defer for user input sanitization at the consuming user but given the function signature is documented to be repository, and destination, then users might not realize that input like in the report would be abused.

If you'd like to fix the potential security fix here then I also recommended in the report how to do that effectively.

@yarkeev
Copy link
Owner

yarkeev commented Apr 21, 2022

OK, convinced 🙂
Fix in master and in npm version 2.1.2
Thank you!

@JamieSlome
Copy link
Author

@yarkeev - are you able to confirm the fix on the report?

@yarkeev
Copy link
Owner

yarkeev commented Apr 21, 2022

@JamieSlome, done

@yarkeev yarkeev closed this as completed Apr 22, 2022
@JamieSlome
Copy link
Author

@yarkeev - are you happy for us to assign and publish a CVE for this report?

@yarkeev
Copy link
Owner

yarkeev commented Apr 22, 2022

@JamieSlome, I don't mind.

@JamieSlome
Copy link
Author

@yarkeev - sorted (CVE-2022-1440) 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lirantal @yarkeev @JamieSlome