GHSA-hpcg-xjq5-g666: Minder affected by denial of service from maliciously configured Git repository
Minder’s Git provider is vulnerable to a denial of service from a maliciously configured GitHub repository. The Git provider clones users repositories using the github.com/go-git/go-git/v5 library on these lines:
The Git provider does the following on these lines:
First, it sets the CloneOptions, specifying the url, the depth etc:
It then validates the options:
It then sets up an in-memory filesystem, to which it clones:
Finally, it clones the repository:
This (g *Git) Clone() method is vulnerable to a DoS attack: A Minder user can instruct Minder to clone a large repository which will exhaust memory and crash the Minder server. The root cause of this vulnerability is a combination of the following conditions:
- Users can control the Git URL which Minder clones.
- Minder does not enforce a size limit to the repository.
- Minder clones the entire repository into memory.
References
Detect and mitigate GHSA-hpcg-xjq5-g666 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →