ghost
commented
1 year ago Yes, you are right. Thank you for your feedback. I haven't done any checks in any place of calling the git command yet.
Open maple3142 opened 1 year ago
ghost
commented
1 year ago Yes, you are right. Thank you for your feedback. I haven't done any checks in any place of calling the git command yet.
There are several command injection vulnerabilities in Gitly:
https://github.com/vlang/gitly/blob/d0e1f3ad2fa3d76306a3de11642f5ff50e9e9ede/src/repo_routes.v#L530-L543
https://github.com/vlang/gitly/blob/d0e1f3ad2fa3d76306a3de11642f5ff50e9e9ede/src/commit_routes.v#L87-L94
https://github.com/vlang/gitly/blob/d0e1f3ad2fa3d76306a3de11642f5ff50e9e9ede/src/repo_service.v#L659
I think there are more possible injection points so it is probably not enough to fix these parts only.
If possible, consider Adding a security policy to your repository in the future.