GHSA-p3hx-pwf3-j8wr
Nautobot: GitRepository.current_head field should not be writable through REST API
Details
### Impact
A user with access to add/change a GitRepository record could use the REST API to directly set the `current_head` field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified `branch` (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the `current_head` pointing to a nonexistent commit hash or malformed value.
### Patches
The issue has been remediated in Nautobot v2.4.33 and 3.1.2.
### Workarounds
Note that many of the same end-result symptoms could be caused by a user with the same level of access simply changing the `branch` or `remote_url` of a GitRepository rather than crafting the `current_head`. Administrators are encouraged to carefully review which users are granted permissions to create and modify GitRepository records.
### References
- 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609">patch</a>) - 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3">patch</a>)
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr [WEB]
- https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609 [WEB]
- https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3 [WEB]
- https://github.com/nautobot/nautobot [PACKAGE]
- https://github.com/nautobot/nautobot/releases/tag/v2.4.33 [WEB]
- https://github.com/nautobot/nautobot/releases/tag/v3.1.2 [WEB]