craft your forge, build your project, grow your community freely
1# Security Advisory: Executor Command Injection
2 3## 1. Executive Summary
4 5A vulnerability has been identified within the GitRoot **executors** system. Under specific conditions, it is possible for a malicious actor to execute unauthorized commands on the host machine. Given the complexity of the required conditions, this vulnerability is not easily exploitable in a standard production environment.
6 7- **Severity:** Moderate
8- **Affected Version:** 0.3.0
9- **Fix Status:** Scheduled for version 0.4.0
1011## 2. Technical Details
1213The vulnerability stems from the way executors validate commands defined by plugins. Currently, a plugin can declare a benign command in its manifest (e.g., `cat`), but execute an arbitrary command during runtime (e.g., `rm -rf data/`). GitRoot currently lacks a strict enforcement mechanism to verify that the executed binary matches the declared command.
1415## 3. Impact Analysis
1617The level of risk depends on your infrastructure configuration:
1819- **High Risk:** Users utilizing `bareMetal` or `ssh` executors.
20- **Low Risk:** Users utilizing `bubblewrap` or `container` isolation (as the sandbox significantly limits the potential impact on the host).
2122**Exploitability Constraints:**
23This vulnerability is not a "remote code execution" flaw in the traditional sense. Exploitation requires:
24251. Installing a malicious plugin.
262. Having write access to the [default branch](../doc/technicals/default_branch.md) of the root repository.
273. Merging a malicious `.gitroot/plugins.yml` into the [default branch](../doc/technicals/default_branch.md).
2829Currently, creating plugins is undocumented, and the only known plugin using executors is `hop`. Since any modification to `.gitroot/plugins.yml` requires a merge into the [default branch](../doc/technicals/default_branch.md), a standard code review process should easily detect and prevent such malicious entries.
3031## 4. Immediate Mitigations
3233If you cannot wait for the 0.4.0 release, we recommend applying the following measures:
3435- **Disable Executors:** Set your forge configuration for executors to `None`.
36- **Secure Executors:** Use more secure executors, such as `bwrap` or `container`.
37- **Plugin Trust:** Only install and enable plugins from trusted sources.
38- **Access Control:** Strictly monitor and review all changes to `.gitroot/plugins.yml`, specifically focusing on authorized system commands.
3940## 5. Patch Schedule
4142This vulnerability will be fully addressed in **version 0.4.0**.
43We have decided not to release an intermediate 0.3.1 patch, as the attack vector relies on an "insider" or "compromised account" scenario that is effectively mitigated by standard code review practices.
4445## 6. Security Contact
4647Transparency and security are core values at GitRoot. If you discover any other potential vulnerabilities or have questions regarding this report, please contact us directly at [contact@gitroot.dev](contact@gitroot.dev).