GitPython Path Traversal Vulnerability Allowing Arbitrary File Write and Delete

A path traversal vulnerability has been identified in GitPython, a Python library for interacting with Git repositories. This vulnerability, present in versions through 3.1.47, allows attackers to manipulate reference paths and perform unauthorized file operations outside the repository's .git directory. The issue arises from inadequate validation of reference paths during creation, renaming, and deletion processes. Exploitation can lead to overwriting, moving, or deleting files, potentially disrupting application state or causing denial-of-service by targeting critical files.

Impact

Exploitation of this vulnerability could result in unauthorized file modifications or deletions, affecting application integrity and availability. In some cases, it could lead to corruption of application state or configuration files, causing further disruptions.

Reproduction

To reproduce this vulnerability, first install GitPython version 3.1.46. Then, create a new Git repository and add a text file. After committing the file, use the vulnerable reference APIs to create a reference that points to a file outside the repository. This will demonstrate the ability to write files outside the repository's .git directory. Similarly, deleting a reference can show the capability to remove files outside the repository.

Remediation

Users can upgrade to GitPython version 3.1.48 or later, where this vulnerability has been patched.