Liquid Prompt Command Injection Vulnerability in Git Branch Name Handling

A command injection vulnerability allowing arbitrary code execution has been identified in Liquid Prompt, an adaptive prompt for Bash and Zsh. This issue is present in the master branch, specifically in the commit range starting from cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c. The vulnerability arises when a user navigates to a directory within a Git repository that contains a manipulated branch name. Exploitation requires the LP_ENABLE_GITSTATUSD configuration option to be active (which it is by default), and for gitstatusd to be installed and running before Liquid Prompt is loaded (a non-default setting). Additionally, shell prompt substitution must be enabled, which is the default in Bash but not in Zsh. When these conditions are met, a branch name featuring shell syntax, such as command substitution or backtick expressions, will be executed by the shell as the prompt is rendered.

Impact

Successful exploitation allows for arbitrary command execution in the context of the user running Liquid Prompt.

Reproduction

To reproduce this vulnerability, first ensure that Liquid Prompt is installed and that the LP_ENABLE_GITSTATUSD option is enabled. Then, install and start gitstatusd. After that, navigate to a Git repository that contains a crafted branch name with shell syntax, and check out that branch. Finally, enter a directory within the repository to trigger the vulnerability when the prompt is rendered.

Remediation

Users can update to the latest commit on the master branch, where this vulnerability has been patched. If using a stable version or a packaged version, no action is needed as those versions are not vulnerable.