Skip to content

Latest commit

 

History

History
59 lines (42 loc) · 2.53 KB

PLUGIN-UNSAFE-ACTIONS.md

File metadata and controls

59 lines (42 loc) · 2.53 KB

Unsafe Actions

As simple-git passes generated arguments through to a child process of the calling node.js process, it is recommended that any parameter sourced from user input is validated before being passed to the simple-git API.

In some cases where there is an elevated potential for harm simple-git will throw an exception unless you have explicitly opted in to the potentially unsafe action.

Enabling custom upload and receive packs

Instead of using the default git-receive-pack and git-upload-pack binaries to parse incoming and outgoing data, git can be configured to use any arbitrary binary or evaluable script.

To avoid accidentally triggering the evaluation of a malicious script when merging user provided parameters into command executed by simple-git, custom pack options (usually with the --receive-pack and --upload-pack) are blocked without explicitly opting into their use

import { simpleGit } from 'simple-git';

// throws
await simpleGit()
   .raw('push', '--receive-pack=git-receive-pack-custom');

// allows calling clone with a helper transport
await simpleGit({ unsafe: { allowUnsafePack: true } })
   .raw('push', '--receive-pack=git-receive-pack-custom');

Overriding allowed protocols

A standard installation of git permits file, http and ssh protocols for a remote. A range of git remote helpers other than these default few can be used by referring to te helper name in the remote protocol - for example the git file descriptor transport git-remote-fd would be used in a remote protocol such as:

git fetch "fd::<infd>[,<outfd>][/<anything>]"

To avoid accidentally triggering a helper transport by passing through unsanitised user input to a function that expects a remote, the use of -c protocol.fd.allow=always (or any variant of protocol permission changes) will cause simple-git to throw unless it has been configured with:

import { simpleGit } from 'simple-git';

// throws
await simpleGit()
   .raw('clone', 'ext::git-server-alias foo %G/repo', '-c', 'protocol.ext.allow=always');

// allows calling clone with a helper transport
await simpleGit({ unsafe: { allowUnsafeProtocolOverride: true } })
   .raw('clone', 'ext::git-server-alias foo %G/repo', '-c', 'protocol.ext.allow=always');

Be advised helper transports can be used to call arbitrary binaries on the host machine. Do not allow them in applications where you are not in control of the input parameters.