CVE-2020-26222

Name of the Vulnerable Software and Affected Versions Dependabot-Core versions 0.119.0.beta1 through 0.125.1

Description There is a remote code execution issue in dependabot-common and dependabot-go modules when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the URL: 127.0.0.1 when cloning the source repository. This occurs because Dependabot runs a shell command to git clone the repository, and the FileFetcher class from dependabot-common can be used to clone the repository for other package managers.

Recommendations For Dependabot-Core versions 0.119.0.beta1 through 0.125.1, update to version 0.125.1 to resolve the issue. As a temporary workaround, escape the branch name prior to passing it to the Dependabot::Source class, for example using shellwords to escape the branch name.