gix Submodule Path Traversal and Credential Disclosure

A path traversal vulnerability exists within the gix library, specifically affecting applications that utilize git submodules. This flaw stems from inadequate validation of submodule names, allowing an attacker to craft a malicious .gitmodules file containing directory traversal sequences (e.g., ../). The vulnerability is amplified by a trust inheritance issue where submodule repositories inherit the git_dir_trust setting from their parent, bypassing ownership checks. Successful exploitation allows an attacker to read sensitive configuration files, potentially including credentials, from arbitrary git directories. This vulnerability affects gix versions prior to 0.83.0 and gix-validate versions 0.10.0 and earlier.

Attack Chain

1. An attacker crafts a malicious git repository with a specially crafted .gitmodules file containing path traversal sequences in the submodule name (e.g., x..y/../../..).
2. A victim clones the attacker’s repository using a tool built on the vulnerable gitoxide library (gix).
3. The victim’s tool iterates through the submodules, potentially triggered by commands like submodule.open() or submodule.status().
4. The git_dir() function, due to insufficient validation, constructs a path that traverses outside the intended submodule directory (e.g., resolving to the parent .git/ directory).
5. The open_opts() function is called with Trust::Full inherited from the parent repository, skipping ownership checks.
6. The library opens the traversed path (e.g., the parent’s .git/config file) as a trusted repository.
7. The attacker can then access sensitive configuration values, such as remote.origin.url, http.extraHeader (containing tokens), credential.* sections, and core.sshCommand.
8. The attacker extracts the exposed credentials via standard API calls, such as repo.config_snapshot().string("http.extraHeader").

Impact

Successful exploitation of this vulnerability enables an attacker to read sensitive configuration files from arbitrary git repositories accessible to the vulnerable application. This includes potential disclosure of credentials such as tokens embedded in URLs or HTTP headers, SSH keys, and other sensitive information. The impact is high due to the potential for lateral movement and further compromise within the victim’s environment. This is similar to GHSA-7w47-3wg8-547c.

Recommendation

• Apply the suggested fix by patching the gix and gix-validate libraries to version 0.83.0 or later to resolve the validation bypass and trust inheritance issues.
• Implement a detection rule for process creation events where a git command is executed with a submodule path containing directory traversal sequences (..) based on the flawed validation in gix-validate/src/submodule.rs as described in the overview.
• Deploy the Sigma rule “Detect Git Submodule Path Traversal” to identify potential exploitation attempts (see rules section below).