GitProxy PACK Signature Bypass Vulnerability in ParsePush Processor Allowing Commit Concealment

A vulnerability exists in GitProxy versions 1.19.1 and earlier, specifically within the PACK signature detection of the parsePush processor. By crafting a malicious Git packfile that includes a misleading PACK signature embedded in commit content, an attacker can manipulate the parser into accepting invalid data as a legitimate packfile. This exploitation could bypass approval processes or obscure commits, potentially allowing unauthorized changes to be made in repositories protected by GitProxy.

Impact

Exploitation of this vulnerability allows attackers to hide commits from scanning and approval processes, while also making changes that circumvent established push policies. This could result in the introduction of unwanted or malicious code into a GitProxy-protected repository.

Reproduction

To reproduce this vulnerability, create a commit on a branch that includes the string 'PACK' in the commit message or within a binary file blob. Then, generate a custom packfile that adds a fake PACK signature after the real PACK header, using Git tools or a low-level library. Finally, push the crafted packfile using a custom client or raw protocol injection.

Remediation

Users are advised to upgrade to GitProxy version 1.19.2 or 2.0.0, both of which include patches for this vulnerability.