Argument Injection in prefecthq/prefect

Vulnerability

In Prefect version 3.6.18, the GitHubRepository block of the prefect-github integration contains a command injection vulnerability in the reference field. The field is concatenated directly into a git clone command string without sanitization and then parsed by shlex.split(). This affects both the aget_directory() and get_directory() methods in src/integrations/prefect-github/prefect_github/repository.py. The GitLab and BitBucket integrations are not affected as they use a safer list-based command construction approach [1].

Exploitation

An attacker who can control the reference field in a GitHubRepository block can inject arbitrary git command-line options, such as -c, by crafting a malicious string. This injection occurs during the command construction before shlex.split() is applied, allowing the attacker to execute unintended git commands or options. No authentication or special privileges are required beyond the ability to supply the reference value [1].

Impact

Successful exploitation can lead to Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE) in the context of the Prefect agent. The attacker may gain access to sensitive data, internal network resources, or execute arbitrary commands on the host system [1].

Mitigation

As of the publication date, no patch has been disclosed in the available references. Users can mitigate the risk by avoiding the use of untrusted input in the reference field, or by using the GitLab or BitBucket integrations, which are not vulnerable to this injection [1].