Two Command Injection Vulnerabilities in Gerapy [CVE-2021-32849]

We discussed this vulnerability during Episode 103 on 29 November 2021

Two straight-forward command injection issues in Gerapy.

The first in the project_clone function, where the address of the Git project to clone is taken directly from the HTTP POST body and used directly in the git clone {address}... command later without any sanitization of control characters.

The second is similar but in project_parse. In this case, it is reading an argument and value which is places directly into a command string that is passed to a shell to be executed.