cf8f6ce02a
In the previous commit, t5619 demonstrates an issue where two calls to `get_repo_path()` could trick Git into using its local clone mechanism in conjunction with a non-local transport. That sequence is: - the starting state is that the local path https:/example.com/foo is a symlink that points to ../../../.git/modules/foo. So it's dangling. - get_repo_path() sees that no such path exists (because it's dangling), and thus we do not canonicalize it into an absolute path - because we're using --separate-git-dir, we create .git/modules/foo. Now our symlink is no longer dangling! - we pass the url to transport_get(), which sees it as an https URL. - we call get_repo_path() again, on the url. This second call was introduced byf38aa83f9a
(use local cloning if insteadOf makes a local URL, 2014-07-17). The idea is that we want to pull the url fresh from the remote.c API, because it will apply any aliases. And of course now it sees that there is a local file, which is a mismatch with the transport we already selected. The issue in the above sequence is calling `transport_get()` before deciding whether or not the repository is indeed local, and not passing in an absolute path if it is local. This is reminiscent of a similar bug report in [1], where it was suggested to perform the `insteadOf` lookup earlier. Taking that approach may not be as straightforward, since the intent is to store the original URL in the config, but to actually fetch from the insteadOf one, so conflating the two early on is a non-starter. Note: we pass the path returned by `get_repo_path(remote->url[0])`, which should be the same as `repo_name` (aside from any `insteadOf` rewrites). We *could* pass `absolute_pathdup()` of the same argument, which86521acaca
(Bring local clone's origin URL in line with that of a remote clone, 2008-09-01) indicates may differ depending on the presence of ".git/" for a non-bare repo. That matters for forming relative submodule paths, but doesn't matter for the second call, since we're just feeding it to the transport code, which is fine either way. [1]: https://lore.kernel.org/git/CAMoD=Bi41mB3QRn3JdZL-FGHs4w3C2jGpnJB-CqSndO7FMtfzA@mail.gmail.com/ Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
71 lines
1.9 KiB
Bash
Executable File
71 lines
1.9 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
test_description='test local clone with ambiguous transport'
|
|
|
|
. ./test-lib.sh
|
|
. "$TEST_DIRECTORY/lib-httpd.sh"
|
|
|
|
if ! test_have_prereq SYMLINKS
|
|
then
|
|
skip_all='skipping test, symlink support unavailable'
|
|
test_done
|
|
fi
|
|
|
|
start_httpd
|
|
|
|
REPO="$HTTPD_DOCUMENT_ROOT_PATH/sub.git"
|
|
URI="$HTTPD_URL/dumb/sub.git"
|
|
|
|
test_expect_success 'setup' '
|
|
mkdir -p sensitive &&
|
|
echo "secret" >sensitive/secret &&
|
|
|
|
git init --bare "$REPO" &&
|
|
test_commit_bulk -C "$REPO" --ref=main 1 &&
|
|
|
|
git -C "$REPO" update-ref HEAD main &&
|
|
git -C "$REPO" update-server-info &&
|
|
|
|
git init malicious &&
|
|
(
|
|
cd malicious &&
|
|
|
|
git submodule add "$URI" &&
|
|
|
|
mkdir -p repo/refs &&
|
|
touch repo/refs/.gitkeep &&
|
|
printf "ref: refs/heads/a" >repo/HEAD &&
|
|
ln -s "$(cd .. && pwd)/sensitive" repo/objects &&
|
|
|
|
mkdir -p "$HTTPD_URL/dumb" &&
|
|
ln -s "../../../.git/modules/sub/../../../repo/" "$URI" &&
|
|
|
|
git add . &&
|
|
git commit -m "initial commit"
|
|
) &&
|
|
|
|
# Delete all of the references in our malicious submodule to
|
|
# avoid the client attempting to checkout any objects (which
|
|
# will be missing, and thus will cause the clone to fail before
|
|
# we can trigger the exploit).
|
|
git -C "$REPO" for-each-ref --format="delete %(refname)" >in &&
|
|
git -C "$REPO" update-ref --stdin <in &&
|
|
git -C "$REPO" update-server-info
|
|
'
|
|
|
|
test_expect_success 'ambiguous transport does not lead to arbitrary file-inclusion' '
|
|
git clone malicious clone &&
|
|
test_must_fail git -C clone submodule update --init 2>err &&
|
|
|
|
test_path_is_missing clone/.git/modules/sub/objects/secret &&
|
|
# We would actually expect "transport .file. not allowed" here,
|
|
# but due to quirks of the URL detection in Git, we mis-parse
|
|
# the absolute path as a bogus URL and die before that step.
|
|
#
|
|
# This works for now, and if we ever fix the URL detection, it
|
|
# is OK to change this to detect the transport error.
|
|
grep "protocol .* is not supported" err
|
|
'
|
|
|
|
test_done
|