GHSA-v725-9546-7q7m
go-git has an Argument Injection via the URL field
Details
### Impact An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries.
### Affected versions Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.
### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
## Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us.
Are you affected?
Enter the version of the package you're using.
Affected packages
4.0.0 No fixed version published yet for gopkg.in/src-d/go-git.v4 (go modules). Pin to a known-safe version or switch to an alternative.
0 Fixed in: 5.13.0 go get github.com/go-git/go-git/v5@v5.13.0