Git LFS Symbolic Link Vulnerability in Checkout and Pull Commands

A vulnerability exists in Git Large File Storage (LFS) versions 0.5.2 through 3.7.0, where the 'checkout' and 'pull' commands can inadvertently write to files outside the intended Git working tree. This issue arises when symbolic or hard links intersect with the paths of files managed by Git LFS. The commands do not verify the presence of symbolic links before writing, potentially allowing Git LFS to overwrite files in arbitrary locations accessible to the user. Additionally, in bare repositories, these commands could also write to locations outside the repository. This vulnerability has been addressed in Git LFS version 3.7.1.

Impact

Exploitation of this vulnerability could lead to unintentional overwriting of files outside the Git working tree, including in locations outside a bare repository, when the 'git lfs checkout' or 'git lfs pull' commands are executed.

Reproduction

To reproduce this vulnerability, create a Git repository and add symbolic links that point to directories or files outside the repository, ensuring they collide with Git LFS-tracked files. Then, run 'git lfs checkout' or 'git lfs pull' commands. In a bare repository, this vulnerability can be reproduced by adding a Git LFS pointer file that, if treated as an absolute path, would intersect with a writable directory, and then running the 'git lfs pull' command, which will fetch the object and attempt to write it through the symbolic link to an external location.

Remediation

Users should upgrade to Git LFS version 3.7.1, where this vulnerability has been fixed. Instructions for downloading this version are available on the Git LFS GitHub releases page.