Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sec: do not append session envs to git run #544

Merged
merged 1 commit into from
Jul 30, 2024
Merged

sec: do not append session envs to git run #544

merged 1 commit into from
Jul 30, 2024

Conversation

caarlos0
Copy link
Member

It is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git LFS.

The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as “LD_PRELOAD”.

This PR fixes it.


Reported by Rob King via e-mail

Signed-off-by: Carlos Alexandro Becker <[email protected]>
@caarlos0 caarlos0 added the bug Something isn't working label Jul 29, 2024
@caarlos0 caarlos0 requested a review from aymanbagabas as a code owner July 29, 2024 15:41
@aymanbagabas aymanbagabas merged commit 4daebdd into main Jul 30, 2024
3 of 9 checks passed
@aymanbagabas aymanbagabas deleted the sec-env branch July 30, 2024 13:31
aymanbagabas added a commit that referenced this pull request Jul 31, 2024
Fixes: 4daebdd (sec: do not append session envs to git run (#544))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants