Hello,
I would like to report a security vulnerability in one of your projects.
This vulnerability results in remote code injection and can be exploited by
anyone; it is called dependency repository hijacking. This vulnerability in
your project was discovered as part of an analysis of all open source project
for this vulnerability and due to the popularity of this project we are
contacting you directly.
For more information regarding this vulnerability and the analysis that
took place please see this article:
https://blog.securityinnovation.com/repo-jacking-exploiting-the-dependency-supply-chain
Risk: High
Affected Project: Ghost -
https://github.com/ginuerzh/gost
Affected Location in Code:
https://github.com/ginuerzh/gost/blob/2707a8f0a90e111fc009791a6a911405939a25fb/go.mod#L33
Hijackable Dependency:
https://github.com/milosgajdos83/tenus
Summary: Dependency repository hijacking (aka repo jacking) occurs when a
piece of code links directly to a Github repository URL. If the owner of that
Github repository changes their username or deletes their account, anyone can
then reregister their old account name and take control of the linked
repository. This can result in a malicious attacker injecting their own code
in any project that depended on the Github URL.
For a more in-depth explanation of the issue, please see the article linked
above.
Steps for Reproduction:
1. Go to the affect location in the code:
https://github.com/ginuerzh/gost/blob/2707a8f0a90e111fc009791a6a911405939a25fb/go.mod#L33.
Note: This may not be the only place where this repository is linked to and
we recommend ensuring that this repository or Github username is not linked
to from anywhere else in the code.
2. Follow the Github link reference by the code:
https://github.com/milosgajdos83/tenus. Notice how the link redirects you to
a repository under a different user, this is because the original user
changed their username. If the link returns a 404 error, this means that the
original user has deleted their account.
3. Go to
https://github.com/milosgajdos83, which is the user profile page
of the original username. Notice how it returns a 404 error, meaning that this
user is non-existent, therefore anyone can create an account with this
username and hijack the repository to which your code links to.
Remediation:
To fix this issue, the best solution would be to not link directly to a
Github URL, instead use a package manager to manage dependencies.
Alternatively, changing the link to point to the new URL (the one that the
old URL redirects you to) will also mitigate this issue for the time being,
but if the user changes their username again it will once again be vulnerable
to repo jacking.
For more remediation options, please see the article linked above.
Please note that as part of the disclosure for this vulnerability we are
contacting many different projects directly, as such it is possible that this
instance of the vulnerability is a false positive. Feel free to contact me if
you have any further questions,
Thank-you,
Indiana Moreau