A vulnerability has been identified within the GitRoot executors system. Under specific conditions, it is possible for a malicious actor to execute unauthorized commands on the host machine. Given the complexity of the required conditions, this vulnerability is not easily exploitable in a standard production environment.
The vulnerability stems from the way executors validate commands defined by plugins. Currently, a plugin can declare a benign command in its manifest (e.g., cat), but execute an arbitrary command during runtime (e.g., rm -rf data/). GitRoot currently lacks a strict enforcement mechanism to verify that the executed binary matches the declared command.
The level of risk depends on your infrastructure configuration:
bareMetal or ssh executors.bubblewrap or container isolation (as the sandbox significantly limits the potential impact on the host).Exploitability Constraints: This vulnerability is not a “remote code execution” flaw in the traditional sense. Exploitation requires:
.gitroot/plugins.yml into the default branch.Currently, creating plugins is undocumented, and the only known plugin using executors is hop. Since any modification to .gitroot/plugins.yml requires a merge into the default branch, a standard code review process should easily detect and prevent such malicious entries.
If you cannot wait for the 0.4.0 release, we recommend applying the following measures:
None.bwrap or container..gitroot/plugins.yml, specifically focusing on authorized system commands.This vulnerability will be fully addressed in version 0.4.0. We have decided not to release an intermediate 0.3.1 patch, as the attack vector relies on an “insider” or “compromised account” scenario that is effectively mitigated by standard code review practices.
Transparency and security are core values at GitRoot. If you discover any other potential vulnerabilities or have questions regarding this report, please contact us directly at contact@gitroot.dev.