URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system.
Impact
The vcs package uses the underly version control system, in this case hg, to implement the needed functionality. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Other version control systems with an implemented interface may also be vulnerable.
Patches
The issue has been fixed in version 1.13.2.
Workarounds
A work around is to sanitize data passed to the vcs package APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.
For more information
If you have any questions or comments about this advisory please file an issue.
dellalibera Analyst
URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system.
Impact
The
vcspackage uses the underly version control system, in this casehg, to implement the needed functionality. Whenhgis executed, argument strings are passed tohgin a way that additional flags can be set. The additional flags can be used to perform a command injection.Other version control systems with an implemented interface may also be vulnerable.
Patches
The issue has been fixed in version 1.13.2.
Workarounds
A work around is to sanitize data passed to the
vcspackage APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.For more information
If you have any questions or comments about this advisory please file an issue.