Conversation
|
Thanks for the pull request, @kingoftech-v01! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Submit a signed contributor agreement (CLA)
If you've signed an agreement in the past, you may need to re-sign. Once you've signed the CLA, please allow 1 business day for it to be processed. 🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
openedx-webhooks
added
the
open-source-contribution
…ection and SSRF git_export_utils.export_to_git() passes a course-author-controlled giturl to ``git clone`` and ``git remote set-url``. Subprocess list-form already prevents shell metacharacter injection, but git itself treats arguments beginning with ``-`` as options (CVE-2017-1000117 class), so a course author with Studio staff permissions and ``ENABLE_EXPORT_GIT`` on could set ``giturl`` to ``--upload-pack=<cmd>`` or similar and gain RCE on the CMS host. The legacy validator only checked URL prefix and suffix and did not reject option-style URLs or internal network targets. This change: * Adds ``_validate_git_url(repo)`` which rejects URLs that begin with ``-`` and, for http/https URLs, resolves the hostname and rejects any address that is loopback, link-local, private, reserved, multicast, or unspecified (SSRF defense). * Calls the new validator from ``export_to_git`` immediately after the legacy endswith/startswith check. * Passes ``--`` to ``git clone`` so the repo is unambiguously positional, as defense in depth against future validator regressions. (``git remote set-url`` does not accept ``--``, so the validator remains load-bearing for the pull/reset branch.) Adds unit tests covering option-injection URLs, loopback / RFC1918 / link-local IPv4 and IPv6 targets (with ``socket.getaddrinfo`` patched to avoid network dependencies), the public-host allowlist path, and the ``git clone --`` invocation shape. The feature is gated behind ``FEATURES['ENABLE_EXPORT_GIT']`` (off by default) and requires Studio course-author access, so real-world exposure is limited — but course authors are not OS-trusted, and this closes a privilege escalation path from Studio staff to RCE on the CMS host when the feature is enabled.
kingoftech-v01
force-pushed
the
fix/sec-git-export-url-injection
branch
from
09a7623 to
d4334f3
Compare
kingoftech-v01
changed the title
3 participants
Closed.