Gpython Security vulnerability

[zrichz]

running "dependabot" reveals a security issue classified as "high" - Gpython module can run code on github as the version of Gpython needs to be updated. Not sure if I should raise this as a bug so wanted others comments here first, thanks

official warning: "GitPython vulnerable to Remote Code Execution due to improper user input validation"
fix: Upgrade GitPython to fix in "requirements_versions.txt" - Upgrade GitPython to version 3.1.30 or later.

[Nacurutu]

I have updated the version and now I'm getting n error when I try to update the extensions xD

Error checking updates for Config-Presets:
Traceback (most recent call last):
  File "C:\AI\stable-diffusion-webui\modules\ui_extensions.py", line 66, in check_updates
    ext.check_updates()
  File "C:\AI\stable-diffusion-webui\modules\extensions.py", line 69, in check_updates
    for fetch in repo.remote().fetch("--dry-run"):
  File "C:\AI\stable-diffusion-webui\venv\lib\site-packages\git\remote.py", line 1007, in fetch
    res = self._get_fetch_info_from_stderr(proc, progress, kill_after_timeout=kill_after_timeout)
  File "C:\AI\stable-diffusion-webui\venv\lib\site-packages\git\remote.py", line 848, in _get_fetch_info_from_stderr
    proc.wait(stderr=stderr_text)
  File "C:\AI\stable-diffusion-webui\venv\lib\site-packages\git\cmd.py", line 604, in wait
    raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
  cmdline: git fetch -v -- origin --dry-run
  stderr: 'fatal: couldn't find remote ref --dry-run'

[zrichz]

not sure if it makes a difference, but have you got an erroneous extra space in this ? - "git fetch -v -- origin --dry-run" i.e. "-- origin"

[Nacurutu]

thats the error i get when i click update in the webUI.. first time I got it and was after I updated the GitPython to version 3.1.30 as you said, also tried updating to GitPython to version 3.1.31.. same error :p

[zrichz]

oh :(. The fix btw is what dependabot suggests, not what I suggest :)

[Nacurutu]

no worries, im not blaming u hehehehe... i just wanted to try :p with a fresh install of GitPython version 3.1.27 should be fixed.. :)

I upgraded GitPython using the requirements_versions.txt file

Edit: Fixed downgrading GitPython version to 3.1.27

[zrichz]

cool :) good news then :)

[Gerschel]

GHSA-hcpj-qp55-gfph

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command

The way we are using git in the webui, extensions and scripts have this ability already.

The user in this situation would be you, unless you are running a shared instance and somehow expose the clone command (maybe through enabling "custom_scripts.py").
Cloning is done through the extensions tab "install", even if this was updated, but a workaround was done that allowed the extensions tab to clone from urls, you will be at the same risk.

Don't use/allow cors (cross origin) Xss(cross site scripts), which would allow an arbitrary site to use this tab. (Better practice would be to run this in a browser you are not using to browse the web, i.e- If you use firefox to browse, use chrome/safari/chrome dev/edge, just anything different, so a malicious browser extension can't hijack it) https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Don't copy paste urls into the extensions tab that you don't trust.

Don't allow others you don't trust to use your instance of the app.

Don't go installing a bunch of the webui extensions, or at least verify in some form before you do.

I can, for example, but I won't because I'm using my legal name and it's unique, push an update to some cool extension everyone wants. Then either download mailicious tools, or embed directly, and as long as I never make it obvious, I can open another shell and execute whatever I want on the backend. If you have cors enabled, can listen for a crypto transaction and clipboard jack you, etc.

Pretty much what I'm saying is, this actually does not pose a risk in the webui as long as the user (you) don't put things in the extensions fetch from url input.
The real risk comes from sneak installs from extensions, and sometimes bad advice with extensions wanting you to enable cross site scripting.

I decided to ask chatgpt if git can be used as an update mechanism, I already know that it shouldn't be, but thought chatgpt would do a better job at explaining than I can. Technically, we need a better update mechanism for extensions, there are too many issues (using git reset --hard which overwrites configs because a regular pull would be rejected if you modified your configs). If we can change this, then we wouldn't need GitPython anymore.

Git is primarily a version control system, and while it's possible to use it as an update mechanism, it may not be the best option in all cases.

Git is designed to track changes to source code over time and manage collaborative development, so it's well-suited for managing the evolution of software projects. However, using Git as an update mechanism may not provide some features that are necessary for a robust and secure update system, such as:

Security: Git is not specifically designed to handle the security aspects of updating software. While it's possible to use Git over secure connections, it may not provide the level of security necessary to protect your updates from tampering or interception during transmission.

Scalability: Git is not optimized for large files, so if your updates are large, it may be slow and inefficient to use Git.

Robustness: Git's strengths lie in its ability to manage source code and track changes over time, but it may not be the most robust solution for updating software in all cases. For example, if an update fails, it may not be straightforward to revert to a previous version of the software.

That said, some software projects do use Git as an update mechanism, and it can be a reasonable choice in certain situations, particularly for smaller updates or for non-critical systems. If you decide to use Git as an update mechanism, you should make sure to take appropriate security measures, such as using secure connections and digital signatures, to help protect your updates from tampering or interception during transmission.

[zrichz]

thanks for the detailed response - sounds like no more risk than downloading anything else from the interwebs then ;-P