JupyterLab Git Command Injection Vulnerability in Terminal Integration

A command injection vulnerability has been identified in the JupyterLab Git extension, jupyterlab-git, versions through 0.51.0. The issue arises when a Git repository is created with a name that includes a shell command substitution string. If a user opens JupyterLab in a directory containing this repository and selects 'Open Git Repository in Terminal' from the menu, the injected command is executed in the user's shell without permission. This vulnerability allows for arbitrary code execution, with potential consequences such as modifying files, exfiltrating data, halting services, or compromising server security.

Impact

Exploitation of this vulnerability allows for arbitrary code execution via command injection, with the executed commands running in the user's shell. This could lead to unauthorized file creation or modification, data exfiltration, disruption of services, or other actions depending on the commands injected and the user's environment.

Reproduction

To reproduce this vulnerability, create a Git repository with a name that includes a command substitution string, such as a directory name that uses the '$(<command>)' syntax. After initializing the repository, start JupyterLab in a parent directory of the repository. Once JupyterLab is open, navigate to the file browser, open the repository folder, and select 'Open Git Repository in Terminal' from the Git menu. The injected command will be executed in the terminal, demonstrating the command injection vulnerability.

Remediation

Users are advised to upgrade to jupyterlab-git version 0.51.1 or later, where this vulnerability has been patched. If an upgrade is not possible, terminals can be disabled at the jupyter-server level or by disabling the terminals server extension or the JupyterLab terminal extension.