Security concern about git-interface HOT 9 CLOSED

OK, convinced 🙂
Fix in master and in npm version 2.1.2
Thank you!

from git-interface.

Hey @JamieSlome!
I added the SECURITY.md file, and also looked at the report about the potential vulnerability.
The git-interface package itself does not have a CLI, it is a wrapper over git, and its use involves only programmatic connection.
Therefore, I think that if processing of such cases is added, then this should be done where user input takes place.
Everything that git allows you to do - everything should allow you to do git-interface.

from git-interface.

@yarkeev - thanks for your response 👍 Just for reference, the report can be found directly here:
https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1/

@lirantal - any thoughts on the above?

from git-interface.

Thanks for looking into it @yarkeev, and great update on the SECURITY.md file 👏🏽

I'm not sure why the reference or mention of a CLI related issue, because the report is about the API usage of git-interface as a library consumer (i.e: git.clone(arg1, arg2)). I understand why you'd defer for user input sanitization at the consuming user but given the function signature is documented to be repository, and destination, then users might not realize that input like in the report would be abused.

If you'd like to fix the potential security fix here then I also recommended in the report how to do that effectively.

from git-interface.

@yarkeev - are you able to confirm the fix on the report?

from git-interface.

@JamieSlome, done

from git-interface.

@yarkeev - are you happy for us to assign and publish a CVE for this report?

from git-interface.

@JamieSlome, I don't mind.

from git-interface.

@yarkeev - sorted (CVE-2022-1440) 👍

from git-interface.