3mo ago

Malicious code injection by compromised pull request branch names

github.com Discrepancy between what's in GitHub and what's been published to PyPI for v8.3.41 · Issue #18027 · ultralytics/ultralytics

Bug Code in the published wheel 8.3.41 is not what's in GitHub and appears to invoke mining. Users of ultralytics who install 8.3.41 will unknowingly execute an xmrig miner. Examining the file util...

14 comments

Presumably they picked the repo because it will auto-merge MRs if they pass testing even without human approvals. Glad they caught it and good work to everyone involved, but I'm gonna file this one under my "fuck around, find out" folder.

Where's the code that doesn't quote this properly? I'm guessing it's Bash.
- Ding ding ding! We have a winner!
  It's a third-party GitHub Action that is passing the branch name directly to Bash. So to be clear, not GitHub's fault.

This is why Bobby Tables mom needs her Github account suspended.....
- On an unrelated note, don't forget to sanitize your input.

I never considered branch names to be a vector, but in hindsight it makes total sense when put into a workflow like that. What possibly surprised me even more, was that branch names weren't limited to basic characters or at least no special signs. I obviously see the case for all the extended characters outside the latin alphabet, such as Chinese characters, but I totally expected restrictions on special symbols like ", ', /, \, ;, etc.
- / is used to separate the same branch in different repos. For example origin/main and remote/main. Surprising that the other stuff is legal though
  
  You can still freely use / in branch names. Having remote branches available as remote/branch is just a convenience, and you can delete or modify them locally. It’s common to use / in branch names, too.
  
  That's true, i didn't think about that when I wrote it.
  I'm used to the world being pretty simple though, so for me that slash has always just been a visual representation of the location of the branch if that makes sense. We don't have to have a slash in the branch name, only to use it to represent where that branch is located. It could have been something git only used for presentation.

Terrible title, I thought it was a vulnerability in git.
- Pull requests are not a feature of git, you probably thought they were?
  
  Yup, pull requests are an invention from git's servers (I think github came up with that first). The built in way (famously used by the linux kernel) is git-send-email.

14 comments