RubySec

Providing security resources for the Ruby community

CVE-2020-26222 (dependabot-omnibus): Remote code execution in dependabot-core branch names when cloning

ADVISORIES

GEM

dependabot-omnibus

SEVERITY

CVSS v3.x: 8.7 (High)

UNAFFECTED VERSIONS

  • < 0.119.0.beta1

PATCHED VERSIONS

  • >= 0.125.1

DESCRIPTION

Impact

Remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code.

For example, if Dependabot is configured to use the following source branch name: &quot;/$({curl,127.0.0.1})&quot;, Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.

When Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:

git clone --no-tags --no-recurse-submodules --depth=1 --branch=&lt;BRANCH&gt; --single-branch &lt;GITHUB_REPO_URL&gt; repo/contents/path

Dependabot will always clone the source repository for go_modules during the file fetching step and can be configured to clone the repository for other package managers using the FileFetcher class from dependabot-common.

source = Dependabot::Source.new(
  provider: &quot;github&quot;,
  repo: &quot;repo/name&quot;,
  directory: &quot;/&quot;,
  branch: &quot;/$({curl,127.0.0.1})&quot;,
)

repo_contents_path = &quot;./file/path&quot;
fetcher = Dependabot::FileFetchers.for_package_manager(&quot;bundler&quot;).
                  new(source: source, credentials: [],
                  repo_contents_path: repo_contents_path)
fetcher.clone_repo_contents

Workarounds

Escape the branch name prior to passing it to the Dependabot::Source class.

For example using shellwords:

require &quot;shellwords&quot;
branch = Shellwords.escape(&quot;/$({curl,127.0.0.1})&quot;)
source = Dependabot::Source.new(
  provider: &quot;github&quot;,
  repo: &quot;repo/name&quot;,
  directory: &quot;/&quot;,
  branch: branch,
)

RELATED