Lack of data validation - Path Traversal In gitoxide
Description
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository
Summary
attachments: pocs.zip
Submodule names coming from .gitmodules are exposed as unvalidated names and are later reused to derive the submodule git directory as:
<superproject common_dir>/modules/<submodule name>
Because the submodule name is joined directly as a filesystem path component, a name such as ../../../escaped-target.git escapes .git/modules after normalization. The current implementation then uses that escaped path in both state() and open().
The updated PoC demonstrates the real sink, not just string construction:
state() reports repository_exists=true for the traversed path;
open() returns a repository whose normalized common_dir() matches the attacker-chosen repository outside .git/modules.
Root cause analysis
The relevant flow is:
gix-submodule/src/access.rs exposes unvalidated submodule names from configuration.
gix/src/submodule/mod.rs derives the git directory by doing common_dir().join("modules").join(name) with no confinement check.
gix/src/submodule/mod.rs uses that derived path during state resolution and repository opening.
There is no normalization-and-confinement step between “submodule name from configuration” and “filesystem path used for repository existence checks / open.” As a result, traversal segments in the submodule name directly influence which repository path is inspected and opened.
Reproduce steps
Use the attached PoC zip that contains the pocs/ workspace.
Unzip the PoC archive.
Enter pocs/F002.
Run:
cargo run --quiet
Compare the output with pocs/F002/result.txt.
Key outputs are:
submodule_name=../../../escaped-target.git
derived_git_dir_raw=.../.git/modules/../../../escaped-target.git
derived_git_dir_normalized=.../artifacts/escaped-target.git
escaped_target=.../artifacts/escaped-target.git
repository_exists=true
submodule_opened=true
opened_common_dir_normalized=.../artifacts/escaped-target.git
normalized_git_dir_matches_target=true
opened_common_dir_matches_target=true
target_outside_modules_root=true
These outputs show that gitoxide is not only constructing a traversable path string. It is actually using the escaped path for repository existence checks and for opening a repository object.
Impact
Confirmed impact:
a malicious submodule name can redirect submodule state inspection away from .git/modules/<name> to an attacker-chosen repository path outside .git/modules;
Submodule::state() can report repository existence for the wrong repository;
Submodule::open() can return a repository object backed by that attacker-chosen path.
This is best described as a path-traversal / repository-confusion issue in submodule repository resolution.
This report does not claim command execution from this behavior alone. The demonstrated impact is repository redirection: callers that enumerate, inspect, or operate on submodules can be steered into using the wrong repository.
Recommended fix
Two complementary fixes are advisable:
do not reuse raw submodule names as filesystem path fragments;
either use a validated/sanitized name for filesystem derivation,
or derive the storage path from a safe identifier instead of the user-controlled name;
add an explicit confinement check after path derivation;
normalize or canonicalize the candidate path,
verify that the result stays under <common_dir>/modules,
reject names that contain traversal segments, path separators, or any representation that can escape the modules root.
In short, submodule names may remain opaque configuration identifiers, but they should not be treated as trusted filesystem subpaths.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 cargo | gitoxide | 0.52.1 | |
cargo | gix | 0.83.0 |
Aliases
References