Github Desktop RCEx2 for Mac latest Version

14 Feb 2019 - Tr3jer_CongRong

截至今日最新版的两处RCE，第一个重复@evi1m0/第二个内部排查已知，复现蛮简单的，直接show your code.

0x01

app/src/ui/diff/binary-file.tsx:

export class BinaryFile extends React.Component<IBinaryFileProps, {}> {
  private open = () => {
    const fullPath = Path.join(this.props.repository.path, this.props.path)
    openFile(fullPath, this.props.dispatcher)
  }

  public render() {
    return (
      <div className="panel binary" id="diff">
        <div className="image-header">This binary file has changed.</div>
        <div className="image-header">
          <LinkButton onClick={this.open}>
            Open file in external program.
          </LinkButton>
        </div>
      </div>
    )
  }
}

Follow up openFile

app/src/ui/lib/open-file.ts:

const result = await shell.openExternal(`file://${fullPath}`)

0x02

app/src/ui/lib/context-menu.ts:

const RestrictedFileExtensions = ['.cmd', '.exe', '.bat', '.sh']
export const CopyFilePathLabel = __DARWIN__
  ? 'Copy File Path'
  : 'Copy file path'

export const DefaultEditorLabel = __DARWIN__
  ? 'Open in External Editor'
  : 'Open in external editor'

export const RevealInFileManagerLabel = __DARWIN__
  ? 'Reveal in Finder'
  : __WIN32__
  ? 'Show in Explorer'
  : 'Show in your File Manager'

export const TrashNameLabel = __DARWIN__ ? 'Trash' : 'Recycle Bin'

export const OpenWithDefaultProgramLabel = __DARWIN__
  ? 'Open with Default Program'
  : 'Open with default program'

export function isSafeFileExtension(extension: string): boolean {
  if (__WIN32__) {
    return RestrictedFileExtensions.indexOf(extension.toLowerCase()) === -1
  }
  return true
}

context-menu restricted these files extensions:

const RestrictedFileExtensions = ['.cmd', '.exe', '.bat', '.sh']

But macos is a Unix OS, and many binary files can be run directly.

Follow up and search OpenWithDefaultProgramLabel:

app/src/ui/changes/changes-list.tsx:

  CopyFilePathLabel,
  RevealInFileManagerLabel,
  OpenWithDefaultProgramLabel,
} from '../lib/context-menu'
import { CommitMessage } from './commit-message'
..
      },
      {
        label: OpenWithDefaultProgramLabel,
        action: () => this.props.onOpenItem(path),
        enabled: isSafeExtension && status.kind !== AppFileStatusKind.Deleted,

app/src/ui/history/file-list.tsx:

  DefaultEditorLabel,
  RevealInFileManagerLabel,
  OpenWithDefaultProgramLabel,
} from '../lib/context-menu'
import { List } from '../lib/list'
 ..
      },
      {
        label: OpenWithDefaultProgramLabel,
        action: () => this.props.onOpenItem(filePath),
        enabled: isSafeExtension && fileExistsOnDisk,

app/src/ui/merge-conflicts/merge-conflicts-dialog.tsx:

import { IMenuItem } from '../../lib/menu-item'
import {
  OpenWithDefaultProgramLabel,
  RevealInFileManagerLabel,
} from '../lib/context-menu'
..
      const items: IMenuItem[] = [
        {
          label: OpenWithDefaultProgramLabel,
          action: () => openFile(absoluteFilePath, dispatcher),
        },

These calls can be used under macos, not subject to file extensions.