chore: re-vendor lib/#1332
Conversation
keegancsmith
left a comment
keegancsmith
left a comment
There was a problem hiding this comment.
lib is vendored in from our monorepo, so you need to make changes rather in the monorepo and then vendor it back in here.
I'm also not sure we should be escaping these values. Our templates are not just used for constructing commands in batch changes. I'll let @burmudar comment further, I think he had looked into this stuff not so long ago?? (Or did we both look into it? :) )
Generally batch changes are run on repos you have write access to though... which makes this not really an issue in practice. However, I do see us needing to provide some way to do shell escaping since that means previous uses of this would naively break i fyou r filename had a space in it
| return r.FileMatches | ||
| paths := make([]string, len(r.FileMatches)) | ||
| copy(paths, r.FileMatches) | ||
| sort.Strings(paths) |
There was a problem hiding this comment.
Why not? the previous version of the function sorted the paths.
Yeah we did at some point, it's all a bit muddled now but I took a jog down memory lane. This templating is used to render into
|
I disagree. Even if you have access to the repository, that doesn't necessarily make it a trusted source you want to be running code from. Since the attack vector here is a filename, just by including a malicious repo in your spec can trigger command execution locally. |
|
@keegancsmith @burmudar I opened a PR in the monorepo for this: https://github.com/sourcegraph/sourcegraph/pull/12869 |
cbrnrd
changed the title
cbrnrd
force-pushed
the
carterbrainerd-vuln-91-arbitrary-command-execution-in-src-cli-via-unescaped
branch
from
c897f06 to
d5e40eb
Compare
3 participants
This PR re-vendors lib/ (commit
de6bd07264d). Among other changes, this includes a security fix to prevent attacker controlled filenames in batch changes from executing commands.