Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch gh (go-gh in vendor directory) to fix CVE-2024-53859 #11816

Open
wants to merge 2 commits into
base: 3.0-dev
Choose a base branch
from
+82 −3
Open

Patch gh (go-gh in vendor directory) to fix CVE-2024-53859 #11816

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
33c91f9
Fix CVE-2024-53859 by applying the patch in the vendor directory for …
cyberbandya007 Jan 8, 2025
6718057
Updated comments to make them more generic.
cyberbandya007 Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions SPECS/gh/CVE-2024-53859.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
From 5d6079f8ad16f553cdaea1d56fedcb4a3a1db082 Mon Sep 17 00:00:00 2001
From: William Martin <[email protected]>
Date: Thu, 31 Oct 2024 14:07:48 +0100
Subject: [PATCH] Fix token exposure for non-gh hosts in codespaces

This commit introduces a fix for `GITHUB_TOKEN` being exposed to non-github hosts while in a codespace. We no longer return the `GITHUB_TOKEN` for any host except github.com and github.localhost while in a codespace (while the env var `CODESPACES` is `true`).

This commit also changes how tokens are returned when no oAuth token is found in a config. Previously, an empty string and the `oauthToken` source was returned. Now, we return an empty string and the `defaultSource` source. The intention behind this change is to make more logical sense by not returning an `oauthToken` source when we didn't get any token. It's also worth mentioning that this change also improves our test coverage - all lines in `tokenForHost` are now covered by tests, and we don't have unreachable code.

Co-authored-by: Kynan Ware <[email protected]>

Modified patch to apply to AzureLinux
Modified-by: Sandeep Karambelkar <[email protected]>
---
pkg/auth/auth.go | 27 ++++++++----
1 file changed, 91 insertions(+), 33 deletions(-)

diff --git a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go
index a903736..4378e75 100644
--- a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go
+++ b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go
@@ -63,6 +63,15 @@ func TokenFromEnvOrConfig(host string) (string, string) {

func tokenForHost(cfg *config.Config, host string) (string, string) {
host = NormalizeHostname(host)
+
+ if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces {
+ if host == github || host == localhost {
+ if token := os.Getenv(githubToken); token != "" {
+ return token, githubToken
+ }
+ }
+ }
+
if IsEnterprise(host) {
if token := os.Getenv(ghEnterpriseToken); token != "" {
return token, ghEnterpriseToken
@@ -70,25 +79,25 @@ func tokenForHost(cfg *config.Config, host string) (string, string) {
if token := os.Getenv(githubEnterpriseToken); token != "" {
return token, githubEnterpriseToken
}
- if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces {
- if token := os.Getenv(githubToken); token != "" {
- return token, githubToken
- }
- }
if cfg != nil {
- token, _ := cfg.Get([]string{hostsKey, host, oauthToken})
- return token, oauthToken
+ if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" {
+ return token, oauthToken
+ }
}
+ return "", defaultSource
}
+
if token := os.Getenv(ghToken); token != "" {
return token, ghToken
}
if token := os.Getenv(githubToken); token != "" {
return token, githubToken
}
+
if cfg != nil {
- token, _ := cfg.Get([]string{hostsKey, host, oauthToken})
- return token, oauthToken
+ if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" {
+ return token, oauthToken
+ }
}
return "", defaultSource
}
13 changes: 10 additions & 3 deletions SPECS/gh/gh.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: GitHub official command line tool
Name: gh
Version: 2.62.0
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -15,6 +15,7 @@ Source1: %{name}-%{version}-vendor.tar.gz

Patch0: 0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch
Patch1: CVE-2024-54132.patch
Patch2: CVE-2024-53859.patch
BuildRequires: golang < 1.23
BuildRequires: git
Requires: git
Expand All @@ -25,10 +26,13 @@ Requires: git
GitHub official command line tool.

%prep
%autosetup -p1 -n cli-%{version}
# Don't patch during setup as we might need to apply patch to vendor package.
%autosetup -N -n cli-%{version}
# Untar vendor packages so that patches on the vendor packages can be applied during autopatch.
tar --no-same-owner -xf %{SOURCE1}
%autopatch -p1

%build
tar --no-same-owner -xf %{SOURCE1}
export GOPATH=%{our_gopath}
# No mod download use vednor cache locally
export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
Expand Down Expand Up @@ -57,6 +61,9 @@ make test
%{_datadir}/zsh/site-functions/_gh

%changelog
* Wed Jan 08 2025 Sandeep Karambelkar <[email protected]> - 2.62.0-3
- Patch CVE-2024-53859

* Fri Dec 13 2024 Sandeep Karambelkar <[email protected]> - 2.62.0-2
- Patch CVE-2024-54132

Expand Down
Loading