Gogs Release Deletion Vulnerability Allows Git Option Injection

A vulnerability in Gogs prior to version 0.14.2 allows for Git option injection during the release deletion process. When a user-controlled tag name is provided without the correct separator, it can be interpreted as a Git option, potentially disrupting the deletion process. This issue arises because the tag name is not properly sanitized before being passed to the Git command, particularly for tags added through Git pushes or reference updates. As a result, deletion may fail or cause unexpected behavior, leading to inconsistencies in release metadata.

Impact

Exploitation of this vulnerability injects options into the 'git tag -d' command, causing deletion to fail or behave unpredictably. This disruption can create operational issues in release management workflows and may result in inconsistent release metadata.

Reproduction

To reproduce this vulnerability, first add a tag that begins with a dash into a repository. Then, use a Gogs version prior to 0.14.2 to delete a release associated with that tag, either through the web interface or the API. The deletion process will fail or behave unexpectedly due to the injected Git option.

Remediation

Users can update to Gogs version 0.14.2 or later, where this vulnerability has been patched.