GHSA-p3hx-pwf3-j8wr
Nautobot: GitRepository.current_head field should not be writable through REST API
상세
### Impact
A user with access to add/change a GitRepository record could use the REST API to directly set the `current_head` field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified `branch` (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the `current_head` pointing to a nonexistent commit hash or malformed value.
### Patches
The issue has been remediated in Nautobot v2.4.33 and 3.1.2.
### Workarounds
Note that many of the same end-result symptoms could be caused by a user with the same level of access simply changing the `branch` or `remote_url` of a GitRepository rather than crafting the `current_head`. Administrators are encouraged to carefully review which users are granted permissions to create and modify GitRepository records.
### References
- 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609">patch</a>) - 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3">patch</a>)
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr [WEB]
- https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609 [WEB]
- https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3 [WEB]
- https://github.com/nautobot/nautobot [PACKAGE]
- https://github.com/nautobot/nautobot/releases/tag/v2.4.33 [WEB]
- https://github.com/nautobot/nautobot/releases/tag/v3.1.2 [WEB]