+ "details": "### Summary\n\nThere is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.\n\n### Affected Component\n\n - internal/database/release.go\n `process.ExecDir(..., \"git\", \"tag\", \"-d\", rel.TagName)`\n\n### Details\n\n `rel.TagName` is used as a CLI argument to `git tag -d` without `--` or `--end-of-options`.\n If the tag name begins with `-`, Git parses it as a flag.\n\n The prior mitigation is incomplete. There is path sanitization in place during creation:\n\n - internal/database/release.go\n `r.TagName = strings.TrimLeft(r.TagName, \"-\")`\n\n But it only covers one creation path and does not reliably protect tag deletions, such as tags added through `git push` or ref updates.\n\n**Exploit Conditions**\n1. An attacker can add a tag name that starts with a dash into the repository.\n2. A user with permission to delete releases triggers it through the web UI or API.\n\n### Recommended Fix\n\n1. Add end-of-options in release deletion:\n - `git tag -d -- <tagName>`\n2. It is better to use the safe git-module deletion helper since it handles options properly.\n3. All Git commands should be audited for user input, ensuring that the end-of-options separator is always used.\n\n### Impact\n - Option injection into `git tag -d`\n - Tag/release deletion can fail or behave unexpectedly\n - Operational denial of service in release cleanup workflows\n - Potential release metadata inconsistency",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments