GitPython Newline Injection Vulnerability in Git Configuration Writer Allows Remote Code Execution

A vulnerability in GitPython's handling of Git configuration values has been identified, prior to version 3.1.49. The issue arises because the 'GitConfigParser.set_value()' method passes values to Python's 'configparser' without validating for newlines. While GitPython's own '_write()' method converts embedded newlines into indented continuation lines, Git accepts an indented '[core]' stanza as a section header. This allows injected values, such as 'core.hooksPath', to become effective configuration. Consequently, any Git operation that triggers hooks, such as commit, merge, or checkout, could execute scripts from a path controlled by an attacker.

Impact

Exploitation of this vulnerability leads to remote code execution by allowing scripts to be executed from an attacker-controlled path via Git hooks.

Reproduction

The vulnerability can be reproduced by creating a Git repository and using the 'config_writer().set_value()' method to inject a newline character followed by a '[core]' header and a path into the Git configuration. This injected path can then be used to execute scripts via Git hooks.

Remediation

Users should update to GitPython version 3.1.49 or later, where this vulnerability has been patched.