kallithea Changeset - a8a51a3bdb61

Changeset - a8a51a3bdb61

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Mads Kiilerich (mads) - 5 years ago 2020-11-19 21:33:11
mads@kiilerich.com

git: disallow odd characters in path of git:// URLs

Mitigate https://blog.harold.kim/2020/11/invalid-url-on-git-clone-leading-to-ssrf
until the problem is fixed properly in Git.

The checks might be more strict than necessary but should not have any impact
on real world use cases.

Thanks to stypr of Flatt Security for raising this.

1 file changed with 12 insertions and 0 deletions:

kallithea/lib/vcs/backends/git/repository.py

0 comments (0 inline, 0 general)

kallithea/lib/vcs/backends/git/repository.py

➞

Show inline comments

@@ @@ -163,6 +163,18 @@ class GitRepository(BaseRepository): @@
             return True
         if url.startswith('git://'):
             try:
                 _git_colon, _empty, _host, path = url.split('/', 3)
             except ValueError:
                 raise urllib.error.URLError("Invalid URL: %r" % url)
             # Mitigate problems elsewhere with incorrect handling of encoded paths.
             # Don't trust urllib.parse.unquote but be prepared for more flexible implementations elsewhere.
             # Space is the only allowed whitespace character - directly or % encoded. No other % or \ is allowed.
             for c in path.replace('%20', ' '):
                 if c in '%\\':
                     raise urllib.error.URLError("Invalid escape character in path: '%s'" % c)
                 if c.isspace() and c != ' ':
                     raise urllib.error.URLError("Invalid whitespace character in path: %r" % c)
             return True
         if not url.startswith('http://') and not url.startswith('https://'):

0 comments (0 inline, 0 general)