debian/patches/0007-fast-import-disallow-feature-import-marks-by-default.diff - jrn/git - Git at Google

 From cbf8dcb9e2fde6fdfc15df4fca678938fe5d473c Mon Sep 17 00:00:00 2001
 From: Jeff King <peff@peff.net>
 Date: Thu, 29 Aug 2019 15:08:42 -0400
 Subject: fast-import: disallow "feature import-marks" by default

 As with export-marks in the previous commit, import-marks can access the
 filesystem. This is significantly less dangerous than export-marks
 because it only involves reading from arbitrary paths, rather than
 writing them. However, it could still be surprising and have security
 implications (e.g., exfiltrating data from a service that accepts
 fast-import streams).

 Let's lump it (and its "if-exists" counterpart) in with export-marks,
 and enable the in-stream version only if --allow-unsafe-features is set.

 Signed-off-by: Jeff King <peff@peff.net>
 (cherry picked from commit a52ed76142f6e8d993bb4c50938a408966eb2b7c)
 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
 ---
  Documentation/git-fast-import.txt |  3 ++-
  fast-import.c                     |  2 ++
  t/t9300-fast-import.sh            | 22 +++++++++++++++++-----
  3 files changed, 21 insertions(+), 6 deletions(-)

 diff --git a/Documentation/git-fast-import.txt b/Documentation/git-fast-import.txt
 index e90b3b8dff..9e3b9581d7 100644
 --- a/Documentation/git-fast-import.txt
 +++ b/Documentation/git-fast-import.txt
 @@ -57,7 +57,8 @@ OPTIONS
  	allowing fast-import to access the filesystem outside of the
  	repository). These options are disabled by default, but can be
  	allowed by providing this option on the command line.  This
 -	currently impacts only the `feature export-marks` command.
 +	currently impacts only the `export-marks`, `import-marks`, and
 +	`import-marks-if-exists` feature commands.
  +
  	Only enable this option if you trust the program generating the
  	fast-import stream! This option is enabled automatically for
 diff --git a/fast-import.c b/fast-import.c
 index e17be6bb54..c8b372bc4a 100644
 --- a/fast-import.c
 +++ b/fast-import.c
 @@ -3314,8 +3314,10 @@ static int parse_one_feature(const char *feature, int from_stream)
  	if (skip_prefix(feature, "date-format=", &arg)) {
  		option_date_format(arg);
  	} else if (skip_prefix(feature, "import-marks=", &arg)) {
 +		check_unsafe_feature("import-marks", from_stream);
  		option_import_marks(arg, from_stream, 0);
  	} else if (skip_prefix(feature, "import-marks-if-exists=", &arg)) {
 +		check_unsafe_feature("import-marks-if-exists", from_stream);
  		option_import_marks(arg, from_stream, 1);
  	} else if (skip_prefix(feature, "export-marks=", &arg)) {
  		check_unsafe_feature(feature, from_stream);
 diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh
 index 9af3d99eac..377c2b4958 100755
 --- a/t/t9300-fast-import.sh
 +++ b/t/t9300-fast-import.sh
 @@ -2106,6 +2106,14 @@ test_expect_success 'R: abort on receiving feature after data command' '
  	test_must_fail git fast-import <input
  '

 +test_expect_success 'R: import-marks features forbidden by default' '
 +	>git.marks &&
 +	echo "feature import-marks=git.marks" >input &&
 +	test_must_fail git fast-import <input &&
 +	echo "feature import-marks-if-exists=git.marks" >input &&
 +	test_must_fail git fast-import <input
 +'
 +
  test_expect_success 'R: only one import-marks feature allowed per stream' '
  	>git.marks &&
  	>git2.marks &&
 @@ -2114,7 +2122,7 @@ test_expect_success 'R: only one import-marks feature allowed per stream' '
  	feature import-marks=git2.marks
  	EOF

 -	test_must_fail git fast-import <input
 +	test_must_fail git fast-import --allow-unsafe-features <input
  '

  test_expect_success 'R: export-marks feature forbidden by default' '
 @@ -2209,7 +2217,8 @@ test_expect_success 'R: --import-marks-if-exists' '
  test_expect_success 'R: feature import-marks-if-exists' '
  	rm -f io.marks &&

 -	git fast-import --export-marks=io.marks <<-\EOF &&
 +	git fast-import --export-marks=io.marks \
 +			--allow-unsafe-features <<-\EOF &&
  	feature import-marks-if-exists=not_io.marks
  	EOF
  	test_must_be_empty io.marks &&
 @@ -2220,7 +2229,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
  	echo ":1 $blob" >expect &&
  	echo ":2 $blob" >>expect &&

 -	git fast-import --export-marks=io.marks <<-\EOF &&
 +	git fast-import --export-marks=io.marks \
 +			--allow-unsafe-features <<-\EOF &&
  	feature import-marks-if-exists=io.marks
  	blob
  	mark :2
 @@ -2233,7 +2243,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
  	echo ":3 $blob" >>expect &&

  	git fast-import --import-marks=io.marks \
 -			--export-marks=io.marks <<-\EOF &&
 +			--export-marks=io.marks \
 +			--allow-unsafe-features <<-\EOF &&
  	feature import-marks-if-exists=not_io.marks
  	blob
  	mark :3
 @@ -2244,7 +2255,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
  	test_cmp expect io.marks &&

  	git fast-import --import-marks-if-exists=not_io.marks \
 -			--export-marks=io.marks <<-\EOF &&
 +			--export-marks=io.marks \
 +			--allow-unsafe-features <<-\EOF &&
  	feature import-marks-if-exists=io.marks
  	EOF
  	test_must_be_empty io.marks
 --
 2.24.0.393.g34dc348eaf
	From cbf8dcb9e2fde6fdfc15df4fca678938fe5d473c Mon Sep 17 00:00:00 2001
	From: Jeff King <peff@peff.net>
	Date: Thu, 29 Aug 2019 15:08:42 -0400
	Subject: fast-import: disallow "feature import-marks" by default

	As with export-marks in the previous commit, import-marks can access the
	filesystem. This is significantly less dangerous than export-marks
	because it only involves reading from arbitrary paths, rather than
	writing them. However, it could still be surprising and have security
	implications (e.g., exfiltrating data from a service that accepts
	fast-import streams).

	Let's lump it (and its "if-exists" counterpart) in with export-marks,
	and enable the in-stream version only if --allow-unsafe-features is set.

	Signed-off-by: Jeff King <peff@peff.net>
	(cherry picked from commit a52ed76142f6e8d993bb4c50938a408966eb2b7c)
	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	---
	Documentation/git-fast-import.txt \| 3 ++-
	fast-import.c \| 2 ++
	t/t9300-fast-import.sh \| 22 +++++++++++++++++-----
	3 files changed, 21 insertions(+), 6 deletions(-)

	diff --git a/Documentation/git-fast-import.txt b/Documentation/git-fast-import.txt
	index e90b3b8dff..9e3b9581d7 100644
	--- a/Documentation/git-fast-import.txt
	+++ b/Documentation/git-fast-import.txt
	@@ -57,7 +57,8 @@ OPTIONS
	allowing fast-import to access the filesystem outside of the
	repository). These options are disabled by default, but can be
	allowed by providing this option on the command line. This
	- currently impacts only the `feature export-marks` command.
	+ currently impacts only the `export-marks`, `import-marks`, and
	+ `import-marks-if-exists` feature commands.
	+
	Only enable this option if you trust the program generating the
	fast-import stream! This option is enabled automatically for
	diff --git a/fast-import.c b/fast-import.c
	index e17be6bb54..c8b372bc4a 100644
	--- a/fast-import.c
	+++ b/fast-import.c
	@@ -3314,8 +3314,10 @@ static int parse_one_feature(const char *feature, int from_stream)
	if (skip_prefix(feature, "date-format=", &arg)) {
	option_date_format(arg);
	} else if (skip_prefix(feature, "import-marks=", &arg)) {
	+ check_unsafe_feature("import-marks", from_stream);
	option_import_marks(arg, from_stream, 0);
	} else if (skip_prefix(feature, "import-marks-if-exists=", &arg)) {
	+ check_unsafe_feature("import-marks-if-exists", from_stream);
	option_import_marks(arg, from_stream, 1);
	} else if (skip_prefix(feature, "export-marks=", &arg)) {
	check_unsafe_feature(feature, from_stream);
	diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh
	index 9af3d99eac..377c2b4958 100755
	--- a/t/t9300-fast-import.sh
	+++ b/t/t9300-fast-import.sh
	@@ -2106,6 +2106,14 @@ test_expect_success 'R: abort on receiving feature after data command' '
	test_must_fail git fast-import <input
	'

	+test_expect_success 'R: import-marks features forbidden by default' '
	+ >git.marks &&
	+ echo "feature import-marks=git.marks" >input &&
	+ test_must_fail git fast-import <input &&
	+ echo "feature import-marks-if-exists=git.marks" >input &&
	+ test_must_fail git fast-import <input
	+'
	+
	test_expect_success 'R: only one import-marks feature allowed per stream' '
	>git.marks &&
	>git2.marks &&
	@@ -2114,7 +2122,7 @@ test_expect_success 'R: only one import-marks feature allowed per stream' '
	feature import-marks=git2.marks
	EOF

	- test_must_fail git fast-import <input
	+ test_must_fail git fast-import --allow-unsafe-features <input
	'

	test_expect_success 'R: export-marks feature forbidden by default' '
	@@ -2209,7 +2217,8 @@ test_expect_success 'R: --import-marks-if-exists' '
	test_expect_success 'R: feature import-marks-if-exists' '
	rm -f io.marks &&

	- git fast-import --export-marks=io.marks <<-\EOF &&
	+ git fast-import --export-marks=io.marks \
	+ --allow-unsafe-features <<-\EOF &&
	feature import-marks-if-exists=not_io.marks
	EOF
	test_must_be_empty io.marks &&
	@@ -2220,7 +2229,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
	echo ":1 $blob" >expect &&
	echo ":2 $blob" >>expect &&

	- git fast-import --export-marks=io.marks <<-\EOF &&
	+ git fast-import --export-marks=io.marks \
	+ --allow-unsafe-features <<-\EOF &&
	feature import-marks-if-exists=io.marks
	blob
	mark :2
	@@ -2233,7 +2243,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
	echo ":3 $blob" >>expect &&

	git fast-import --import-marks=io.marks \
	- --export-marks=io.marks <<-\EOF &&
	+ --export-marks=io.marks \
	+ --allow-unsafe-features <<-\EOF &&
	feature import-marks-if-exists=not_io.marks
	blob
	mark :3
	@@ -2244,7 +2255,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
	test_cmp expect io.marks &&

	git fast-import --import-marks-if-exists=not_io.marks \
	- --export-marks=io.marks <<-\EOF &&
	+ --export-marks=io.marks \
	+ --allow-unsafe-features <<-\EOF &&
	feature import-marks-if-exists=io.marks
	EOF
	test_must_be_empty io.marks
	--
	2.24.0.393.g34dc348eaf