Summary
Malicious users may access any Git repository on the server even if it is outside the served root directory.
Product
Tested Version
Master branch. Windows OS (should work on Linux too).
Details
Function resolveRepositoryPath doesn’t validate user input
git-server serves Git repositories over http(s) from a configured root directory repoRoot. The only option to access repositories outside the repoRoot is to set ‘virtual’ repository paths in the server configuration file.
However resolveRepositoryPath doesn’t properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot.
Impact
This issue may lead to an unauthorized access to private Git repositories.
CVE
CVE-2020-9708
Coordinated Disclosure Timeline
- 09/07/2020: Report sent to Vendor
- 09/07/2020: Vendor acknowledges
- 23/07/2020: Fixed in v1.3.1
- 11/08/2020: CVE-2020-9708 assigned.
- 11/08/2020: Advisory released.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-133 in any communication regarding this issue.