Authenticated RCE via Argument Injection in Gogs Rebase Merg...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed
• Blog Title: Authenticated RCE via Argument Injection in Gogs Rebase Merge
• Suggested Section: Pentesting CI/CD > Gogs Security > Authenticated RCE via Git rebase argument injection

🎯 Content Summary

Rapid7 Labs disclosed an unfixed critical authenticated remote code execution vulnerability in Gogs, a self-hosted Git service written in Go. The bug is a CWE-88 argument injection issue in the pull request merge flow when the repository option Rebase before merging is enabled. Rapid7 rates it as CVSSv4 9.4 Critical. At publication time, the vendor had not released a patch.

Affected versions confirmed ...

🔧 Technical Details

Git option injection through branch names: if an application passes user-controlled Git refs directly to Git commands without -- or --end-of-options, a branch name beginning with -- can be interpreted as a command-line option instead of data. Validation with git rev-parse --verify <ref> is not enough, because an attacker can first create a real ref named like an option, such as --exec=<payload>, making validation succeed while later unsafe command invocations parse the same value as an option.

Abusing git rebase --exec for RCE: git rebase supports --exec=<cmd>, which runs the supplied command through sh -c after replaying commits. If an attacker-controlled base branch is passed as git rebase --quiet <baseBranch> <headBranch>, a branch named --exec=touch${IFS}/tmp/rce_proof ...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-ci-cd/gogs-security/README.md
• src/SUMMARY.md

What I added:

• New Gogs Security page
• Technique-focused content on:
  • Git option injection via branch/ref names
  • Why git rev-parse --verify is insufficient
  • Abusing git rebase --exec for RCE
  • ${IFS} / base64 payload shaping
  • Windows-safe staged payload delivery
  • PR mergeability / state-machine abuse
  • Practical hunting artifacts

Validation:

• Confirmed the new page is linked from SUMMARY.md
• Confirmed required banner placement and file structure
• mdbook build could not be run because mdbook is not installed in this environment (mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed

Content Categories: Based on the analysis, this content was categorized under "Pentesting CI/CD > Gogs Security > Authenticated RCE via Git rebase argument injection".

Repository Maintenance:

• MD Files Formatting: 586 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0