Code Injection Security Vulnerability Disclosure
116 views
Skip to first unread message
Indiana Moreau
Oct 28, 2020, 3:12:49 PM10/28/20
to go-gost
Hello,
I would like to report a security vulnerability in one of your projects. This vulnerability results in remote code injection and can be exploited by anyone; it is called dependency repository hijacking. This vulnerability in your project was discovered as part of an analysis of all open source project for this vulnerability and due to the popularity of this project we are contacting you directly.
For more information regarding this vulnerability and the analysis that took place please see this article: https://blog.securityinnovation.com/repo-jacking-exploiting-the-dependency-supply-chain
Risk: High
Affected Project: Ghost - https://github.com/ginuerzh/gost
Affected Location in Code: https://github.com/ginuerzh/gost/blob/2707a8f0a90e111fc009791a6a911405939a25fb/go.mod#L33
Hijackable Dependency: https://github.com/milosgajdos83/tenus
Summary: Dependency repository hijacking (aka repo jacking) occurs when a piece of code links directly to a Github repository URL. If the owner of that Github repository changes their username or deletes their account, anyone can then reregister their old account name and take control of the linked repository. This can result in a malicious attacker injecting their own code in any project that depended on the Github URL.
For a more in-depth explanation of the issue, please see the article linked above.
Steps for Reproduction:
1. Go to the affect location in the code: https://github.com/ginuerzh/gost/blob/2707a8f0a90e111fc009791a6a911405939a25fb/go.mod#L33. Note: This may not be the only place where this repository is linked to and we recommend ensuring that this repository or Github username is not linked to from anywhere else in the code.
2. Follow the Github link reference by the code: https://github.com/milosgajdos83/tenus. Notice how the link redirects you to a repository under a different user, this is because the original user changed their username. If the link returns a 404 error, this means that the original user has deleted their account.
3. Go to https://github.com/milosgajdos83, which is the user profile page of the original username. Notice how it returns a 404 error, meaning that this user is non-existent, therefore anyone can create an account with this username and hijack the repository to which your code links to.
Remediation:
To fix this issue, the best solution would be to not link directly to a Github URL, instead use a package manager to manage dependencies. Alternatively, changing the link to point to the new URL (the one that the old URL redirects you to) will also mitigate this issue for the time being, but if the user changes their username again it will once again be vulnerable to repo jacking.
For more remediation options, please see the article linked above.
Please note that as part of the disclosure for this vulnerability we are contacting many different projects directly, as such it is possible that this instance of the vulnerability is a false positive. Feel free to contact me if you have any further questions,
Thank-you,
Indiana Moreau
I would like to report a security vulnerability in one of your projects. This vulnerability results in remote code injection and can be exploited by anyone; it is called dependency repository hijacking. This vulnerability in your project was discovered as part of an analysis of all open source project for this vulnerability and due to the popularity of this project we are contacting you directly.
For more information regarding this vulnerability and the analysis that took place please see this article: https://blog.securityinnovation.com/repo-jacking-exploiting-the-dependency-supply-chain
Risk: High
Affected Project: Ghost - https://github.com/ginuerzh/gost
Affected Location in Code: https://github.com/ginuerzh/gost/blob/2707a8f0a90e111fc009791a6a911405939a25fb/go.mod#L33
Hijackable Dependency: https://github.com/milosgajdos83/tenus
Summary: Dependency repository hijacking (aka repo jacking) occurs when a piece of code links directly to a Github repository URL. If the owner of that Github repository changes their username or deletes their account, anyone can then reregister their old account name and take control of the linked repository. This can result in a malicious attacker injecting their own code in any project that depended on the Github URL.
For a more in-depth explanation of the issue, please see the article linked above.
Steps for Reproduction:
1. Go to the affect location in the code: https://github.com/ginuerzh/gost/blob/2707a8f0a90e111fc009791a6a911405939a25fb/go.mod#L33. Note: This may not be the only place where this repository is linked to and we recommend ensuring that this repository or Github username is not linked to from anywhere else in the code.
2. Follow the Github link reference by the code: https://github.com/milosgajdos83/tenus. Notice how the link redirects you to a repository under a different user, this is because the original user changed their username. If the link returns a 404 error, this means that the original user has deleted their account.
3. Go to https://github.com/milosgajdos83, which is the user profile page of the original username. Notice how it returns a 404 error, meaning that this user is non-existent, therefore anyone can create an account with this username and hijack the repository to which your code links to.
Remediation:
To fix this issue, the best solution would be to not link directly to a Github URL, instead use a package manager to manage dependencies. Alternatively, changing the link to point to the new URL (the one that the old URL redirects you to) will also mitigate this issue for the time being, but if the user changes their username again it will once again be vulnerable to repo jacking.
For more remediation options, please see the article linked above.
Please note that as part of the disclosure for this vulnerability we are contacting many different projects directly, as such it is possible that this instance of the vulnerability is a false positive. Feel free to contact me if you have any further questions,
Thank-you,
Indiana Moreau
Reply all
Reply to author
Forward
0 new messages