RUSTSEC-2023-0064: 
Rust vulnerability analysis and mitigation

RUSTSEC-2023-0064 is a code execution vulnerability discovered in the gix-transport Rust library. The vulnerability allows malicious code execution through specially crafted clone URLs or configuration files. The issue was discovered and disclosed on September 24, 2023, affecting the gitoxide project's transport implementation (GitHub PR).

The vulnerability stems from insufficient URL sanitization in the transport layer, specifically when handling SSH URLs. A proof of concept demonstrated that using a maliciously crafted URL like 'ssh://-oProxyCommand=open$IFS-aCalculator/foo' could trigger arbitrary command execution on OSX. The issue relates to how the library handles command-line arguments passed to the SSH command, particularly when processing host and path components of URLs (GitHub PR).

When exploited, this vulnerability allows attackers to execute arbitrary code on the target system through malicious clone URLs or configuration files. The impact is particularly severe in scenarios where applications process untrusted git repositories or when operating on repositories with submodules that are automatically added (GitHub PR).

The vulnerability was patched by implementing additional URL sanitization checks. The fix includes the addition of Url::host_argument_safe() and Url::path_argument_safe() functions that validate arguments before they are passed to command-line applications. The patch prevents hosts or paths that look like arguments from being passed to invoked commands (GitHub PR).