git 3.1.30 api change, issue #8116 #8118
Conversation
|
Please merge this change. |
Still waiting on a review check which prevents merge, looks like it automatically goes to @AUTOMATIC1111 for a request but if anyone else wants to that can we can push it to |
|
My comment was directed at A1111, he has to approve and merge it. |
|
@adam-huganir - FWIW, the version of gitpython in requirements should also be bumped. The whole reason this even came about is because I bumped the package version as per this high severity security warning: |
required version for CVE-2022-24439 is >= 3.130
ooch that is a bad one. good catch, PR is updated and just needs the workflows run again edit: workflows passed on the fork so it should be good when ran here |
|
Bump. |
|
Are you sure it's working? I tried this commit and the check happens but it doesn't find any extension to update even if there are updates. Just tried |
@Dasor92 I just booted it up and ran hit "Check for updates" and it was able to check and show the status, is that the part you are having issues with? This is what I ended up with:
|
|
This didn't fix the issue for me, I have the same problem as Dasor92. All extensions still show up as "latest" even tho they have updates available when I check the github links for each individual extension. |
@CrazyKrow i just double checked the |
|
No logs in the terminal, the progress bar also works, the only way i know its not working is because eveything keeps showing up as "latest" even tho it isnt. I had to reinstall controlnet for it to go to the last version. |
|
I think the problem started when i updated dreambooth a couple of days ago, even if i remove the extension its still not working |
yeah, dreambooth updated the requirements (as it should have, there is a serious vulnerability) and that update broke the code that was here, however edit: _edit 2: i am removing some of the stuff in this comment since it will probably cause more issues rather than helping most people. check out my comment below for something that may help get things up and running before this change gets added to the main repo |
|
I have windows, so the command doesnt work. I tried with "pip install -U GitPython==3.1.30" didn't fix the issue, tried with "pip install -U GitPython==3.1.27" also didn't fix it. Still can't update. The path is set to "C:\Stable-diffusion-webui\venv" |
|
I also tried deleting the venv folder so the environment is created again, but no luck. I deleted the dreambooth folder btw, so I don't know why is still not working. |
|
Hope automatic is okay, are they usually MIA this long? Or taking a break (prob much needed)? I don't lurk here too much, but I do hope to fix dreambooth soon or find an alternative that isn't a collab. |
|
Where exactly am I supposed to run this command? Should I just put it in my webuser.bat? I tried going to venv/scripts/ running cmd and activating the venv but it tells me system cannot find the file specified. Sorry, noob at this stuff. |
Don't worry about it, virtual environments are tough to grok even for people who work with python day in and day out. I'm removing my comment from earlier since it will do more harm than good for most users I think since it is incompatible with the replace the current line with the GitPython version with: This will not be the final version, but it should be the most broadly compatible with other plugins. After this you can run Let us know if this works! |
Incidentally this is already set as such for me in requirements_versions.txt for the webui installation I use specifically for dreambooth. Unable to update extensions, tho I'm more concerned with being able to train. I can do the manual update thing floating around via .bat file. My main concern is getting dreambooth training properly, which it's not since the update. EDIT 1: Dug a little deeper, this is because I use: set "REQS_FILE=.\extensions\sd_dreambooth_extension\requirements.txt" In my webui-user.bat. I can change gitpython in that or just comment out this line and see. EDIT 2: commenting out REQS_FILE, I get this mess still: EDIT 3: |
|
For people who still struggle with this: sd_dreambooth_extension has a new GitPython version in the requirements that overrides the main requirements files, either edit that or delete the extension completely (don't recommend if you already did some training) and it should work once you install a version 3.1.27 or lower within the venv |
|
Still having issues for check for update even rebuild venv and delete dreambooth completely, I guess someone can point out which package version is not compatible for the main version of webui. absl-py 1.4.0 |
|
@Dasor92 Moreover, in order to make your extensions update as normal again, you may have to reinstall every extension one by one to make it updateable in the future, since gitpython 3.1.31 breaks the link of extensions which makes it not be able to update even when you downgrade to 3.1.27. So any extension installed prior to 3.1.31 will have to be installed again. |
|
Really disheartening that this still hasn't been merged. Why isn't there just a new fork or something at this point that takes over? |
|
I don't want to bump the version of a package without it doing something useful in the new version. Enabling extension access is an RCE already, by design. Disabling extension access mutes whatever problem exists in GitPython==3.1.27. |
|
Fixing a critical security issue is doing something useful dude. Seriously.
…On Sat, Mar 11, 2023, 3:55 AM AUTOMATIC1111 ***@***.***> wrote:
I don't want to bump the version of a package without it doing something
useful in the new version. Enabling extension access is an RCE already, by
design. Disabling extension access mutes whatever problem exists in
GitPython==3.1.27.
—
Reply to this email directly, view it on GitHub
<#8118 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMO4NBK6UYBP6B4N2BIVR3W3RD23ANCNFSM6AAAAAAVIAUECA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
The critical security issue still persists for reasons I wrote above even of this is merged in. |
|
I legitimately do not understand your logic.
You regularly merge breaking changes to the main repository without issue.
Hell, not even regularly...just sort of willy-nilly because you're the only
person who can merge fixes.
But then you're refusing to merge this one because fixing a critical
security issue is somehow not useful enough...because the application has
other issues "by design"?
Like...why? How about you just update the package and fix the one line of
code and call it a day, versus leaving this sit out here until something
"useful" comes along that makes it now pertinent to bump the package
version?
This is a combination of maddening and frustrating that I'm growing
increasingly tired of...
…On Sat, Mar 11, 2023 at 7:47 AM AUTOMATIC1111 ***@***.***> wrote:
The critical security issue still persists for reasons I wrote above even
of this is merged in.
—
Reply to this email directly, view it on GitHub
<#8118 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMO4NEYKQAMRRTFE2UBAQDW3R66TANCNFSM6AAAAAAVIAUECA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
What's the way to exploit the vulnerability? |
|
Are you seriously going to make me go through your code so I can find an
endpoint in the core application to prove there's an issue even without
extensions enabled?
You're a smart guy...I'm sure you and I both know I can work out some way
to call one of your methods via javascript to get this to run.
from git import Repo r = Repo.init('', bare=True) r.clone_from('ext::sh -c
touch% /tmp/pwned', 'tmp', multi_options=["-c protocol.ext.allow=always"])
…On Sat, Mar 11, 2023 at 8:09 AM AUTOMATIC1111 ***@***.***> wrote:
What's the way to exploit the vulnerability?
—
Reply to this email directly, view it on GitHub
<#8118 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMO4NEZC6KFCOEGRIGKNO3W3SBTHANCNFSM6AAAAAAVIAUECA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
When extensions installation is enabled, there is a way to install and run a repo with JS even with this PR merged in. When extension installation is disabled, there is no way to do this from JS. The reason I don't want to merge this in is because there are users in comments who report that bumping version breaks things for them. I could investigate, but I don't want to, and seeing as there is no practical benefit to merging this in, I would rather just not bump the version. |
revert back to .27
|
Fixing CVEs is always good, but as @AUTOMATIC1111 points out in this case we are already running in an environment where code execution is basically arbitrary anyways and there is no place in the code that feeds raw strings into the commands that I can see that would make this a particularly obvious concern. I do think the syntax change is worth it since it is discouraged by the gitpython people and will eventually stop working on another upgrade. I removed the requirements change and you can merge/reject at your discretion |
…being below that version #8118
|
Fine, let's get it in, and let's bump the version, if something breaks we'll fix it afterwards. |
I have been using bumped version. i didnt encounter any problem but of course there are so many edge cases |
…n-api-breaking-change git 3.1.30 api change, issue AUTOMATIC1111#8116
…being below that version AUTOMATIC1111#8118
…being below that version AUTOMATIC1111#8118
this is a fix for #8116 , where gitpython made a breaking api change:
Running on ubuntu 22 wsl
Tested with installs/updates, works as expected
edited to reference and auto-close: fixes #8116, fixes #8199, fixes #8116