From f6adec4e329ef0e25e14c63b735a5956dc67b8bc Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 24 Sep 2018 04:36:30 -0400 Subject: submodule-config: ban submodule urls that start with dash The previous commit taught the submodule code to invoke our "git clone $url $path" with a "--" separator so that we aren't confused by urls or paths that start with dashes. However, that's just one code path. It's not clear if there are others, and it would be an easy mistake to add one in the future. Moreover, even with the fix in the previous commit, it's quite hard to actually do anything useful with such an entry. Any url starting with a dash must fall into one of three categories: - it's meant as a file url, like "-path". But then any clone is not going to have the matching path, since it's by definition relative inside the newly created clone. If you spell it as "./-path", the submodule code sees the "/" and translates this to an absolute path, so it at least works (assuming the receiver has the same filesystem layout as you). But that trick does not apply for a bare "-path". - it's meant as an ssh url, like "-host:path". But this already doesn't work, as we explicitly disallow ssh hostnames that begin with a dash (to avoid option injection against ssh). - it's a remote-helper scheme, like "-scheme::data". This _could_ work if the receiver bends over backwards and creates a funny-named helper like "git-remote--scheme". But normally there would not be any helper that matches. Since such a url does not work today and is not likely to do anything useful in the future, let's simply disallow them entirely. That protects the existing "git clone" path (in a belt-and-suspenders way), along with any others that might exist. Our tests cover two cases: 1. A file url with "./" continues to work, showing that there's an escape hatch for people with truly silly repo names. 2. A url starting with "-" is rejected. Note that we expect case (2) to fail, but it would have done so even without this commit, for the reasons given above. So instead of just expecting failure, let's also check for the magic word "ignoring" on stderr. That lets us know that we failed for the right reason. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- t/t7416-submodule-dash-url.sh | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100755 t/t7416-submodule-dash-url.sh (limited to 't') diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh new file mode 100755 index 0000000000..459193c976 --- /dev/null +++ b/t/t7416-submodule-dash-url.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +test_description='check handling of .gitmodule url with dash' +. ./test-lib.sh + +test_expect_success 'create submodule with protected dash in url' ' + git init upstream && + git -C upstream commit --allow-empty -m base && + mv upstream ./-upstream && + git submodule add ./-upstream sub && + git add sub .gitmodules && + git commit -m submodule +' + +test_expect_success 'clone can recurse submodule' ' + test_when_finished "rm -rf dst" && + git clone --recurse-submodules . dst && + echo base >expect && + git -C dst/sub log -1 --format=%s >actual && + test_cmp expect actual +' + +test_expect_success 'remove ./ protection from .gitmodules url' ' + perl -i -pe "s{\./}{}" .gitmodules && + git commit -am "drop protection" +' + +test_expect_success 'clone rejects unprotected dash' ' + test_when_finished "rm -rf dst" && + test_must_fail git clone --recurse-submodules . dst 2>err && + test_i18ngrep ignoring err +' + +test_done -- cgit v1.3-5-g9baa From 273c61496f88c6495b886acb1041fe57965151da Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 24 Sep 2018 04:39:55 -0400 Subject: submodule-config: ban submodule paths that start with a dash We recently banned submodule urls that look like command-line options. This is the matching change to ban leading-dash paths. As with the urls, this should not break any use cases that currently work. Even with our "--" separator passed to git-clone, git-submodule.sh gets confused. Without the code portion of this patch, the clone of "-sub" added in t7417 would yield results like: /path/to/git-submodule: 410: cd: Illegal option -s /path/to/git-submodule: 417: cd: Illegal option -s /path/to/git-submodule: 410: cd: Illegal option -s /path/to/git-submodule: 417: cd: Illegal option -s Fetched in submodule path '-sub', but it did not contain b56243f8f4eb91b2f1f8109452e659f14dd3fbe4. Direct fetching of that commit failed. Moreover, naively adding such a submodule doesn't work: $ git submodule add $url -sub The following path is ignored by one of your .gitignore files: -sub even though there is no such ignore pattern (the test script hacks around this with a well-placed "git mv"). Unlike leading-dash urls, though, it's possible that such a path _could_ be useful if we eventually made it work. So this commit should be seen not as recommending a particular policy, but rather temporarily closing off a broken and possibly dangerous code-path. We may revisit this decision later. There are two minor differences to the tests in t7416 (that covered urls): 1. We don't have a "./-sub" escape hatch to make this work, since the submodule code expects to be able to match canonical index names to the path field (so you are free to add submodule config with that path, but we would never actually use it, since an index entry would never start with "./"). 2. After this patch, cloning actually succeeds. Since we ignore the submodule.*.path value, we fail to find a config stanza for our submodule at all, and simply treat it as inactive. We still check for the "ignoring" message. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- submodule-config.c | 2 ++ t/t7417-submodule-path-url.sh | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100755 t/t7417-submodule-path-url.sh (limited to 't') diff --git a/submodule-config.c b/submodule-config.c index 6eb13a5536..774fb10544 100644 --- a/submodule-config.c +++ b/submodule-config.c @@ -398,6 +398,8 @@ static int parse_config(const char *var, const char *value, void *data) if (!strcmp(item.buf, "path")) { if (!value) ret = config_error_nonbool(var); + else if (looks_like_command_line_option(value)) + warn_command_line_option(var, value); else if (!me->overwrite && submodule->path) warn_multiple_config(me->treeish_name, submodule->name, "path"); diff --git a/t/t7417-submodule-path-url.sh b/t/t7417-submodule-path-url.sh new file mode 100755 index 0000000000..638293f0da --- /dev/null +++ b/t/t7417-submodule-path-url.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +test_description='check handling of .gitmodule path with dash' +. ./test-lib.sh + +test_expect_success 'create submodule with dash in path' ' + git init upstream && + git -C upstream commit --allow-empty -m base && + git submodule add ./upstream sub && + git mv sub ./-sub && + git commit -m submodule +' + +test_expect_success 'clone rejects unprotected dash' ' + test_when_finished "rm -rf dst" && + git clone --recurse-submodules . dst 2>err && + test_i18ngrep ignoring err +' + +test_done -- cgit v1.3-5-g9baa From a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 24 Sep 2018 04:37:17 -0400 Subject: fsck: detect submodule urls starting with dash Urls with leading dashes can cause mischief on older versions of Git. We should detect them so that they can be rejected by receive.fsckObjects, preventing modern versions of git from being a vector by which attacks can spread. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- fsck.c | 7 +++++++ t/t7416-submodule-dash-url.sh | 15 +++++++++++++++ 2 files changed, 22 insertions(+) (limited to 't') diff --git a/fsck.c b/fsck.c index 9339f31513..c472856527 100644 --- a/fsck.c +++ b/fsck.c @@ -64,6 +64,7 @@ static struct oidset gitmodules_done = OIDSET_INIT; FUNC(GITMODULES_PARSE, ERROR) \ FUNC(GITMODULES_NAME, ERROR) \ FUNC(GITMODULES_SYMLINK, ERROR) \ + FUNC(GITMODULES_URL, ERROR) \ /* warnings */ \ FUNC(BAD_FILEMODE, WARN) \ FUNC(EMPTY_NAME, WARN) \ @@ -945,6 +946,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata) FSCK_MSG_GITMODULES_NAME, "disallowed submodule name: %s", name); + if (!strcmp(key, "url") && value && + looks_like_command_line_option(value)) + data->ret |= report(data->options, data->obj, + FSCK_MSG_GITMODULES_URL, + "disallowed submodule url: %s", + value); free(name); return 0; diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh index 459193c976..1cd2c1c1ea 100755 --- a/t/t7416-submodule-dash-url.sh +++ b/t/t7416-submodule-dash-url.sh @@ -20,6 +20,13 @@ test_expect_success 'clone can recurse submodule' ' test_cmp expect actual ' +test_expect_success 'fsck accepts protected dash' ' + test_when_finished "rm -rf dst" && + git init --bare dst && + git -C dst config transfer.fsckObjects true && + git push dst HEAD +' + test_expect_success 'remove ./ protection from .gitmodules url' ' perl -i -pe "s{\./}{}" .gitmodules && git commit -am "drop protection" @@ -31,4 +38,12 @@ test_expect_success 'clone rejects unprotected dash' ' test_i18ngrep ignoring err ' +test_expect_success 'fsck rejects unprotected dash' ' + test_when_finished "rm -rf dst" && + git init --bare dst && + git -C dst config transfer.fsckObjects true && + test_must_fail git push dst HEAD 2>err && + grep gitmodulesUrl err +' + test_done -- cgit v1.3-5-g9baa From 1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 24 Sep 2018 04:42:19 -0400 Subject: fsck: detect submodule paths starting with dash As with urls, submodule paths with dashes are ignored by git, but may end up confusing older versions. Detecting them via fsck lets us prevent modern versions of git from being a vector to spread broken .gitmodules to older versions. Compared to blocking leading-dash urls, though, this detection may be less of a good idea: 1. While such paths provide confusing and broken results, they don't seem to actually work as option injections against anything except "cd". In particular, the submodule code seems to canonicalize to an absolute path before running "git clone" (so it passes /your/clone/-sub). 2. It's more likely that we may one day make such names actually work correctly. Even after we revert this fsck check, it will continue to be a hassle until hosting servers are all updated. On the other hand, it's not entirely clear that the behavior in older versions is safe. And if we do want to eventually allow this, we may end up doing so with a special syntax anyway (e.g., writing "./-sub" in the .gitmodules file, and teaching the submodule code to canonicalize it when comparing). So on balance, this is probably a good protection. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- fsck.c | 7 +++++++ t/t7417-submodule-path-url.sh | 8 ++++++++ 2 files changed, 15 insertions(+) (limited to 't') diff --git a/fsck.c b/fsck.c index c472856527..5d9b25fac0 100644 --- a/fsck.c +++ b/fsck.c @@ -65,6 +65,7 @@ static struct oidset gitmodules_done = OIDSET_INIT; FUNC(GITMODULES_NAME, ERROR) \ FUNC(GITMODULES_SYMLINK, ERROR) \ FUNC(GITMODULES_URL, ERROR) \ + FUNC(GITMODULES_PATH, ERROR) \ /* warnings */ \ FUNC(BAD_FILEMODE, WARN) \ FUNC(EMPTY_NAME, WARN) \ @@ -952,6 +953,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata) FSCK_MSG_GITMODULES_URL, "disallowed submodule url: %s", value); + if (!strcmp(key, "path") && value && + looks_like_command_line_option(value)) + data->ret |= report(data->options, data->obj, + FSCK_MSG_GITMODULES_PATH, + "disallowed submodule path: %s", + value); free(name); return 0; diff --git a/t/t7417-submodule-path-url.sh b/t/t7417-submodule-path-url.sh index 638293f0da..756af8c4d6 100755 --- a/t/t7417-submodule-path-url.sh +++ b/t/t7417-submodule-path-url.sh @@ -17,4 +17,12 @@ test_expect_success 'clone rejects unprotected dash' ' test_i18ngrep ignoring err ' +test_expect_success 'fsck rejects unprotected dash' ' + test_when_finished "rm -rf dst" && + git init --bare dst && + git -C dst config transfer.fsckObjects true && + test_must_fail git push dst HEAD 2>err && + grep gitmodulesPath err +' + test_done -- cgit v1.3-5-g9baa