Summary
there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process
Affected component.
- internal/database/release.go
process.ExecDir(..., "git", "tag", "-d", rel.TagName)
Details
rel.TagName is used as a CLI argument to git tag -d without -- or --end-of-options.
If the tag name begins with -, Git parses it as a flag
Why prior mitigation is incomplete, there's path sanitization in place during creation
- internal/database/release.go
r.TagName = strings.TrimLeft(r.TagName, "-")
but it only covers one creation path and doesn’t reliably protect tag deletions, like tags added through git push or ref updates
Exploit conditions
1-an attacker can add a tag name that starts with a dash into the repo
2-a user with permission to delete releases triggers it through the web ui or api
Recommended fix
1-add end-of-options in release deletion:
- git tag -d --
2-it’s better to use the safe git-module deletion helper since it handles options properly
3-audit all git commands for user input and make sure to always use the end-of-options separator
Impact
- option injection into git tag -d
- tag/release deletion can fail or behave unexpectedly
- operational denial of service in release cleanup workflows
- potential release metadata inconsistency
Summary
there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process
Affected component.
process.ExecDir(..., "git", "tag", "-d", rel.TagName)
Details
rel.TagName is used as a CLI argument to git tag -d without -- or --end-of-options.
If the tag name begins with -, Git parses it as a flag
Why prior mitigation is incomplete, there's path sanitization in place during creation
r.TagName = strings.TrimLeft(r.TagName, "-")
but it only covers one creation path and doesn’t reliably protect tag deletions, like tags added through git push or ref updates
Exploit conditions
1-an attacker can add a tag name that starts with a dash into the repo
2-a user with permission to delete releases triggers it through the web ui or api
Recommended fix
1-add end-of-options in release deletion:
- git tag -d --
2-it’s better to use the safe git-module deletion helper since it handles options properly
3-audit all git commands for user input and make sure to always use the end-of-options separator
Impact