request #28889 Harden calls to Git CLI against argument injection

Artifact

Infos

Artifact ID#28889

Submitted byThomas Gerbet (tgerbet)

Last Modified On2022-11-08 08:56

Submitted on2022-10-10 12:07

Rank30449

Details

Summary *

Harden calls to Git CLI against argument injection

Original Submission

While none of our calls seems to be exploitable (at this time) to issue like CVE-2021-29472 there is no attempt to prevent it. It might be become ugly real fast if a new feature starts using the existing possibility offered by \Git_Exec in a different way.

CategorySCM/Git

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2022-10-13

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #27178	Tuleap	Releases	14.2	Delivered	2022-14-11 09:20	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #28889

Git commit

tuleap/tuleap/stable

Closes request #28889: Harden calls to Git CLI against argument injection e2b6a5bfca

Thomas Gerbet (tgerbet) , 2022-10-10 12:10

Merge commit 'refs/changes/08/26908/1' of ssh://gerrit.tuleap.net:29418/tuleap 661189a90b

Manuel Vacelet (vaceletm) , 2022-10-13 16:31

Cannot merge a PR via the web UI 351db63d58

Thomas Gerbet (tgerbet) , 2022-10-14 15:26

fix(git): push to PR branch should not give broken PR 81920fb672

Manuel Vacelet (vaceletm) , 2022-11-07 17:42

Show items referenced by request #28889

Referenced by request #28889

Artifact Tracker v5

rel #27178 14.2

Git commit

tuleap/tuleap/stable

Closes request #28889: Harden calls to Git CLI against argument injection e2b6a5bfca

Thomas Gerbet (tgerbet) , 2022-10-10 12:10

Other

Follow-ups

Joris MASSON (jmasson)

2022-11-08 08:56

gerrit #27169 integrated in Tuleap 14.1.99.169

Marie Ange Garnier (marieange)

2022-10-14 17:16

gerrit #26963 integrated into Tuleap 14.1.99.26

Manuel Vacelet (vaceletm)

2022-10-13 16:32

Integrated in Tuleap 14.1.99.14

Connected artifacts
- Added Fixed in: rel #27178

Tracker Workflow Manager (forge__tracker_workflow_manager)

2022-10-13 16:31

Closed by @tgerbet with git #tuleap/stable/e2b6a5bfca360063ef64879d94207b2ac1cd26fe.

Status changed from Under review to Closed
Close date set to 2022-10-13

Thomas Gerbet (tgerbet)

2022-10-10 12:14

See gerrit #26908.

Status changed from Under implementation to Under review