From 633eb4a5ce1c2f5c8febf8e1931fff8f235edac4 Mon Sep 17 00:00:00 2001 From: Max Wofford Date: Sun, 13 Jul 2025 11:27:21 -0700 Subject: [PATCH] Add protocol allowlist to git_remote checker I wasn't able to replicate CVE-2022-24439 / CVE-2023-40267 after a while of trying to add something malicious but I figure it's a quick and easy check to add just in case --- lib/git_remote.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/git_remote.rb b/lib/git_remote.rb index d4a327b..71ca9d9 100644 --- a/lib/git_remote.rb +++ b/lib/git_remote.rb @@ -5,6 +5,9 @@ class GitRemote # only run check if git is installed and in path return true unless system("git --version") + # Only allow safe protocols + return false unless repo_url.match?(/\A(https?|git|ssh):\/\//) + safe_repo_url = URI.parse(repo_url).to_s.gsub(" ", "").gsub("'", "") Open3.capture2e("git", "ls-remote", safe_repo_url).last.success? end