Tag Archives: CS348

CS348-02: Quarter Four

The Vulnerabilities of Git

We use Git for a lot of things from collaborative projects to personal ones. So security threats are a topic that must be taken into account on any given day, especially for important projects. And in the article posted in July 2025, there are seven distinct security vulnerabilities that had been added, all that affect prior versions of Git.

The first of these vulnerabilities of Git is CVE-2025-48384. This includes that while reading a configuration value, Git will take off— or strip as the article says— trailing two things: carriage returns or CR and line feed or FR characters. “When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on.” The article mentions how if something called a symlink exists between the stripped path and the submodule’s hooks directory, then it’s an opportunity for an attacker to “execute arbitrary code through the submodule’s post-checkout hook.”

A symlink, upon further research is also known as a symbolic link or a soft link. It’s a special computer file which refers to either another file or a directory by storing a path to it. This makes an alternative access path which doesn’t duplicate the content of the target. These links can break if the target is either moved or deleted.

The second vulnerability is called CVE-2025-48385 which happens when a repository is cloned and (optionally) Git can fetch a bundle. This allows the server to offload a porting of the said clone to a CDN or Content Delivery Network. The client of Git in this situation does not validate the advertised bundle or bundles properly which allows for “the remote side to perform protocol injection. When a specially crafted bundle is advertised, the remote end can cause the client to write the bundle to an arbitrary location, which may lead to code execution similar to the previous CVE.”

There is also a Windows only vulnerability which is a CVE-2025-48386. This is where Git uses a credential helper to authenticate the request when an authenticated remote is cloned. One of these credential helpers is Wincred which uses Windows Credential Manager to store credentials, but it also uses the content within a static buffer. This static buffer’s content is used as a “unique key to store and retrieve credentials. However, it does not properly bounds check the remaining space in the buffer, leading to potential buffer overflows.”

There are also vulnerabilities in Git GUI and Gitk, some of which are specific. CVE-2025-27613 and CVE-2025-27614 are for Gitk. CVE-2025-27613 is when running Gitk in a specifically crafted repository, Gitk can write and/or truncate arbitrary writable files when running Gitk without additional command-line arguments. CVE-2025-27614 is when the user is tricked into running a gitk filename where the filename has a very specific structure and they may run arbitrary scripts that are provided by the attacker.

Over all, always upgrade to the latest version.

Source: https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/ 

, ,

From the blog CS@Worcester – The Progress of Allana R by Allana Richardson and used with permission of the author. All other rights reserved by the author.

CS348-01: Quarter Three

Software Process Management – Blog Three

In class, we’ve been learning about clean code and heard the name “Uncle Bob” multiple times. Because of this, I was trying to learn more about him and what else I could from clean code. Which led me to the SOLID Design Principles.

To start, Uncle Bob is a man named Robert Cecil Martin who had been born on December 5, 1952, according to Wikipedia and many other sites I had looked at. He is an American software engineer, instructor, and author – most recognized for promoting many software design principles and for being an author and signatory of the influential Agile Manifesto. He authored many books, articles including being the editor-in-chief of a C++ Report magazine, and was the first chairman of the Agile Alliance. He actually was self taught and joined the software industry at the age of seventeen. “Martin is a proponent of software craftsmanship, agile software development, and test-driven development. He is credited with introducing the collection of object-oriented programming (OOP) design principles that came to be known as SOLID.”

What is SOLID? Well, it’s an acronym for the five different object oriented design principles that Robert C. “Uncle Bob” Martin had created. In this acronym, there lies the Single Responsibility Principle, Open-Closed Principle or OCP, Liskov Substitution Principle, Interface Segregation Principle, and finally Dependency Inversion Principle.

One of the principles, the Open-Closed Principle, was something that I remember learning in class, even having to refer to it for a question in an activity we did. Modules, classes, and functions should be open to extensions, but closed for modifications. The rest however? Those were new and at first glance, my immediate thought was to Google it.

According to Wikipedia, the Dependency Inversion Principle or DIP is “a specific methodology for loosely coupled software modules. When following this principle, the conventional dependency relationships established from high-level, policy-setting modules to low-level, dependency modules are reversed, thus rendering high-level modules independent of the low-level module implementation details.”

The Liskov Substitution Principle in the source says that “if class A is a subtype of class B, then we should be able to replace B with A without disrupting the behavior of our program.” It was actually initially introduced by a woman named Barbara Liskov in 1987 where it was based on sustainability so that nothing would break.

Barbara Liskov is an American computer scientist who was a pioneer contributor to many programming languages and distributed computing. Some of her most notable work includes “the introduction of abstract data types and the accompanying principle of data abstraction, along with the Liskov Substitution Principle, which applies these ideas of object-oriented programming, subtyping, and inheritance.”

Source: https://medium.com/@lavishj77/solid-design-principles-dd3c0afe7e97, https://en.wikipedia.org/wiki/Robert_C._Martin, and https://en.wikipedia.org/wiki/Barbara_Liskov

, ,

From the blog CS@Worcester – The Progress of Allana R by Allana Richardson and used with permission of the author. All other rights reserved by the author.

CS348-01: Quarter Two Blog

Software Process Management – Quarter Two Blog

SCRUM was something that I had never heard of until we did the activity in class, so I wanted to learn more about it to get a better understanding. We went through the “Scrum Values of Courage, Focus, Commitment, Respect, and Openness.” We learned that there was a product owner, a SCRUM master, and developers. We learned that there was transparency, inspection, and adaptation as pillars in this framework.

We learned how “Scrum is a lightweight framework that helps people, teams and organizations generate value through adaptive solutions for complex problems.” How it requires the Scrum Master “to foster an environment where a product owner orders the work for a complex problem into a Product Backlog, the SCRUM team turns a selection of the work into an Increment of value during a Sprint, the Scrum Team and its stakeholders inspect the results and adjust for the next Sprint, and repeats.”

We learned how “the fundamental unit of Scrum is a small team of people, a Scrum Team. The Scrum Team consists of one Scrum Master, one Product Owner, and Developers. Within a Scrum Team, there are no sub-teams or hierarchies. It is a cohesive unit of professionals focused on one objective at a time, the Product Goal.” And with this team, each has a role and a responsibility that can transfer into the other’s, creating a way for them to collaborate efficiently.

When researching, I found out that SCRUM is not an acronym like DRY or YAGNI. “It  is actually inspired by a scrum in the sport of rugby. In rugby, the team comes together in what they call a scrum to work together to move the ball forward. In this context, Scrum is where the team comes together to move the product forward.”

I also found out that while there is SCRUM, there’s also professional SCRUM. At times, teams fall into a habit of going through the motions. So, professional SCRUM has requirements where the “mindset changes for ways of working and thinking, and an environment that supports it including trust. It also requires you to embrace the Scrum Values in your work.”

With the activity we worked on for this topic, I can see why it’s an agile framework since SCRUM gives just enough of a sense of structure to the people and teams to come together on how they work while giving them ways to add the right processes to “optimize for their specific needs.”

Source: https://www.scrum.org/resources/what-scrum-module and https://scrumguides.org/scrum-guide.html 

,

From the blog CS@Worcester – The Progress of Allana R by Allana Richardson and used with permission of the author. All other rights reserved by the author.

CS348-01: Software Process Management

The Beginning

This is the beginning of my documentation in my class CS-348 and phase two, part one, I suppose, for CS@Worcester with the work that I was able to accomplish, had trouble with, and solutions I found.

It’s kind of like my last blog, except new class equals new puzzles I’ll experience!

,

From the blog CS@Worcester – The Progress of Allana R by Allana Richardson and used with permission of the author. All other rights reserved by the author.