It is currently possible to overwrite the repoDir by sending a repository name that starts with /, the path.resolve method prioritizes the second argument see the example below.
path.resolve("/my/repo/folder","/etc");
// /etc
This behavior gives an attacker the ability to push/pull/clone repositories from an arbitrary absolute path, this could also impact authentication in some cases as it corrupts the repository name.
Reproduction
The following will clone a repository from an absolute path.
It is currently possible to overwrite the
repoDir
by sending a repository name that starts with/
, thepath.resolve
method prioritizes the second argument see the example below.This behavior gives an attacker the ability to push/pull/clone repositories from an arbitrary absolute path, this could also impact authentication in some cases as it corrupts the repository name.
Reproduction The following will clone a repository from an absolute path.
The same technique could be used for
git push/pull