Skip to content

On Windows, `git-sizer` might run a `git` executable within the repository being analyzed

Moderate
rzhade3 published GHSA-57q7-rxqq-7vgp Apr 23, 2021

Package

git-sizer

Affected versions

<= 1.3.0

Patched versions

1.4.0

Description

Impact

On Windows, if git-sizer is run against a non-bare repository, and that repository has an executable called git.exe, git.bat, etc., then that executable might be run by git-sizer rather than the system git executable. An attacker could try to use social engineering to get a victim to run git-sizer against a hostile repository and thereby get the victim to run arbitrary code.

On Linux or other Unix-derived platforms, a similar problem could occur if the user's PATH has the current directory before the path to the standard git executable, but this is would be a very unusual configuration that has been known for decades to lead to all kinds of security problems.

Patches

Users should update to git-sizer v1.4.0

Workarounds

If you are on Windows, then either

  • Don't run git-sizer against a repository that might contain hostile code, or, if you must…
  • Run git-sizer against a bare clone of the hostile repository, or, if that is not possible…
  • Make sure that the hostile repository doesn't have an executable in its top-level directory before running git-sizer.

If you are on Linux or other Unix-based system, then (for myriad reasons!) don't add the current directory to your PATH.

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs