René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Security: Force positional arguments to always be arguments to avoid options injection","articleBody":"This is somehow related to https://github.com/gitpython-developers/GitPython/issues/1515, but as a more broad problem. Gitpython exposes some methods to interact with the git program, but gitpython fails to validate/escape the arguments (user-input), resulting in the user being able to pass options to the final git command, this doesn't seem bad, but git exposes some options (`--upload-pack` and `--receive-pack`) that can lead to remote code execution.\r\n\r\nOne example is the `clone()` method, it receives a path\r\n \r\nhttps://github.com/gitpython-developers/GitPython/blob/17ff2630af26b37f82ac1158ee3495c4390da699/git/repo/base.py#L1219\r\n\r\nBut an option can be passed as well, leading to RCE, a full working example is:\r\n\r\n```python\r\nimport git\r\nr = git.Repo.init('/tmp/test', bare=True)\r\nr.clone(\"--upload-pack=touch /tmp/pwn\")\r\n```\r\n\r\nA usual solution is to add `--` before any user-input arguments, forcing them to always be taken as positional arguments and not options, but there are commands like git checkout that make special use of `--`, git mentions the `--end-of-options` option https://git-scm.com/docs/gitcli/ as an alias for `--` for cases like that, but that option isn't available for `git checkout`  :upside_down_face: \r\n\r\nOther options could be:\r\n- To have a list of commands (like checkout) to not add `--`\r\n- Check all command calls and add `--` manually to each one, for example https://github.com/gitpython-developers/GitPython/blob/17ff2630af26b37f82ac1158ee3495c4390da699/git/repo/base.py#L1170-L1180\r\n  that would be `git.clone(multi, '--', ...)`\r\n\r\nref https://github.com/gitpython-developers/GitPython/issues/1515#issuecomment-1353683726.","author":{"url":"https://github.com/stsewd","@type":"Person","name":"stsewd"},"datePublished":"2022-12-19T16:48:59.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/1517/GitPython/issues/1517"}