Gitoxide Symlink Injection Vulnerability Allowing Arbitrary Symlink Creation

A vulnerability in Gitoxide versions prior to 0.21.1 allows for the creation of symlinks pointing to attacker-controlled locations within any directory the user can write to. This issue arises during the checkout process, where symlink entries are processed after regular files, using a shared stack that caches validated path prefixes. This caching mechanism can be exploited by crafting a tree with duplicate symlink and directory entries, bypassing essential checks and leading to unauthorized symlink creation. The vulnerability is fixed in Gitoxide version 0.21.1.

Impact

Exploitation of this vulnerability allows for arbitrary symlink creation in any directory the user has write access to, potentially leading to unauthorized file access or manipulation.

Reproduction

To reproduce this vulnerability, create a Git repository with a specific tree structure that includes a symlink entry pointing to the `.git/hooks` directory, a directory entry with a symlink to a payload file, and the payload file itself. Once this repository is cloned using Gitoxide, the malicious symlink will be created in the hooks directory. When the `post-checkout` hook is invoked, it will execute the payload, demonstrating the vulnerability.

Remediation

Users should update Gitoxide to version 0.21.1 or later, where this vulnerability has been fixed.