Lucene search

K
silentrobotsSilent Robot Systems blogSILENTROBOTS:FC79DEE8B3729FE529F4CD29DD5773C6
HistoryOct 06, 2014 - 4:00 a.m.

Searching Through Git Commits

2014-10-0604:00:00
Silent Robot Systems blog
www.silentrobots.com
152

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

68.0%

gumbler is a script I wrote to search through git commits. Examples from github are discussed below.

.gitignore

A gitignore file is used to specify files that should not be tracked by git (source gitignore). In the default case, gumbler will read the gitignore file for the project and search every revision for a case where a file from gitignore was committed. Possible use cases would be as a pen tester looking for reconnaisance data (e.g. developer usernames/passwords, staging hosts/services, etc.) or a developer to verify projects did not previously commit “secret” data.

I am a big fan of what Netflix is doing with regards to open source and security. After looking through a number of their projects, I noticied Priam has a few commits with non-damaging files from the gitignore.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

|

$. git clone https://github.com/Netflix/Priam.git
Cloning into 'Priam'...
....
Checking connectivity... done.
$. ruby gumbler/gumbler.rb Priam/ gumbler_testing/tmp/
|-| Jumping to remote @directory Priam/
|-| Storing every revision
checking for *.com..
checking for *.class..
.....
|+| Looking for .classpath, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .classpath. Storing it in gumbler_testing/tmp/.
|+| Looking for .classpath, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .classpath. Storing it in gumbler_testing/tmp/.
|+| Looking for .classpath, Found it in BRANCH : 442862d4a8d4d18d0e176ded8795dd45a24528fc .classpath. Storing it in gumbler_testing/tmp/.
....
checking for .project..
|+| Looking for .project, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .project. Storing it in gumbler_testing/tmp/.
|+| Looking for .project, Found it in BRANCH : 0941d9e0e0dda3ee1d9d4dda757d59ffb641abcf .project. Storing it in gumbler_testing/tmp/.
|+| Looking for .project, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .project. Storing it in gumbler_testing/tmp/.
....
checking for .settings..
....  

—|—

.classpath or .project are not damaging in this case and, hence, are used as the example. On a pen test or in collaborative projects I have found much worse (cough usernames, passwords). This shouldn’t be that surprising.

Searching Commit Logs

Another use case for gumbler is to look through commit history. Using Ruby on Rails as an example, we can search from for any commit with “CVE” in it. Gumbler will output a diff from the files changed in the commit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

|

$. ruby gumbler/gumbler.rb --grep CVE rails/ tmp/
|!| skipping .gitignore, searching commit log for CVE
$. ls tmp/
060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15:13:03_-0700.diff  88cc1688d0cb828c17706b41a8bd27870f2a2beb-2013-01-08_12:11:18_-0800.diff
08d0a11a3f62718d601d39e617c834759cf59bbb-2014-02-18_15:38:50_-0300.diff  8be6913990c30f63618173da722148892348dcc9-2013-03-15_17:45:53_-0700.diff
0b58a7ff420d7ef4b643c521a62be7259dd2f5cb-2011-02-08_14:21:12_-0800.diff  8e577fe560d5756fcc67840ba304d79ada6804e4-2013-01-08_12:41:24_-0800.diff
0c7ac34aed1845044cd1911e5a775366d7ca41c1-2013-12-02_16:42:16_-0800.diff  9340f89849606dba02f44038171f3837f883fd4e-2012-05-30_15:09:13_-0700.diff
2392535f4085d88186097e3c23414e958fb1d16d-2013-03-18_10:17:32_-0700.diff  93fb4c1e62dc9605eecbfaffda2becc85890fa5f-2014-07-10_10:20:16_-0700.diff
...
$. cat 060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15\:13\:03_-0700.diff 
060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30 15:13:03 -0700==> 2012-05-30 15:13:03 -0700 Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this! Strip [nil] from parameters hash.
Thanks to Ben Murphy for reporting this!

CVE-2012-2660


:100644 100644 aa5ba3e... 6757a53... M    actionpack/lib/action_dispatch/http/request.rb
:100644 100644 c3f009a... 6ea66f9... M    actionpack/test/dispatch/request/query_string_parsing_test.rb

diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index aa5ba3e..6757a53 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
....  

—|—

As the README says, be careful using the tool as it uses Command Execution to search. A malicious git project could take advantage of this. Ping me with better ways to handle this.

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

68.0%

Related for SILENTROBOTS:FC79DEE8B3729FE529F4CD29DD5773C6