Missing sanitization of data received from GitHub

[jwilk]

When you ask git hub to clone a repository, it will call:

git clone <repourl> <reponame>

where both repourl and reponame come from GitHub API, without any sanitization. Operators of the GitHub server could exploit it for directory traversal or, more excitingly, for arbitrary code execution, either via option injection, e.g.:

git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl

or more directly with git-remote-ext, e.g.:

git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo

With Python before 2.7.9, which didn't verify certificates by default, this bug could be also exploited by man-in-the-middle attackers.

[jwilk]

Nearly-identical bug in a different codebase: https://github.com/sociomantic-tsunami/git-hub/issues/197

[seveas]

Same applies to data received from gitlab/bitbucket, and such data is used in other places as well. Probably worth trying to find more places where extra '--' are needed. Not sure if I agree with the url validation though. We don't validate other data returned by github either.

[seveas]

With aeeb2d496859419ac1ba1da1162d6f3610f7f1f3 in git.git, this no longer is an issue for clone.