A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. References: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1696026]
Statement: This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
List of patches: https://www.mercurial-scm.org/repo/hg/rev/31286c9282df https://www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd https://www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0
Starting with version 1.5.3 Mercurial allow environment variable expansion on path names for subrepositories when creating it or cloning a parent repository, but it doesn't validate whether the final path name outside the repository root directory. An attacker can leverage this weakness using a combination of symbolic links and environment variables to craft a tampered repository, leading Mercurial to write files outside the repository as long the destination location is empty. This issue affects Mercurial version from 1.5.3 up to 4.8.2.
External References: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29
Tower users have already restricted permissions by bubblewrap which will mitigate this attack. Tower is not affected by this issue as bubblewrap is enabled by default.
Mercurial is not used in Openshift Online, so Openshift Online is not affected by this issue.