Insecure functionality In gogs.io/gogs
Description
Gogs: Release tag option injection in release deletion
Summary
There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.
Affected Component
internal/database/release.go
process.ExecDir(..., "git", "tag", "-d", rel.TagName)
Details
rel.TagName is used as a CLI argument to git tag -d without -- or --end-of-options.
If the tag name begins with -, Git parses it as a flag.
The prior mitigation is incomplete. There is path sanitization in place during creation:
internal/database/release.go
r.TagName = strings.TrimLeft(r.TagName, "-")
But it only covers one creation path and does not reliably protect tag deletions, such as tags added through git push or ref updates.
Exploit Conditions
An attacker can add a tag name that starts with a dash into the repository.
A user with permission to delete releases triggers it through the web UI or API.
Recommended Fix
Add end-of-options in release deletion:
git tag -d -- <tagName>
It is better to use the safe git-module deletion helper since it handles options properly.
All Git commands should be audited for user input, ensuring that the end-of-options separator is always used.
Impact
Option injection into git tag -d
Tag/release deletion can fail or behave unexpectedly
Operational denial of service in release cleanup workflows
Potential release metadata inconsistency
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.14.2 |
Aliases
References