debian/patches/0033-fsck-reject-submodule.update-command-in-.gitmodules.diff - jrn/git - Git at Google

 From 4fba32d885ad8016c96860b75262a3f377791940 Mon Sep 17 00:00:00 2001
 From: Jonathan Nieder <jrnieder@gmail.com>
 Date: Thu, 5 Dec 2019 01:30:43 -0800
 Subject: fsck: reject submodule.update = !command in .gitmodules

 This allows hosting providers to detect whether they are being used
 to attack users using malicious 'update = !command' settings in
 .gitmodules.

 Since ac1fbbda2013 (submodule: do not copy unknown update mode from
 .gitmodules, 2013-12-02), in normal cases such settings have been
 treated as 'update = none', so forbidding them should not produce any
 collateral damage to legitimate uses.  A quick search does not reveal
 any repositories making use of this construct, either.

 Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 (cherry picked from commit bb92255ebe6bccd76227e023d6d0bc997e318ad0)
 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
 ---
  fsck.c                      |  7 +++++++
  t/t7406-submodule-update.sh | 14 ++++++++++++++
  2 files changed, 21 insertions(+)

 diff --git a/fsck.c b/fsck.c
 index b0526dd2b6..535f806c67 100644
 --- a/fsck.c
 +++ b/fsck.c
 @@ -68,6 +68,7 @@ static struct oidset gitmodules_done = OIDSET_INIT;
  	FUNC(GITMODULES_SYMLINK, ERROR) \
  	FUNC(GITMODULES_URL, ERROR) \
  	FUNC(GITMODULES_PATH, ERROR) \
 +	FUNC(GITMODULES_UPDATE, ERROR) \
  	/* warnings */ \
  	FUNC(BAD_FILEMODE, WARN) \
  	FUNC(EMPTY_NAME, WARN) \
 @@ -1016,6 +1017,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
  				    FSCK_MSG_GITMODULES_PATH,
  				    "disallowed submodule path: %s",
  				    value);
 +	if (!strcmp(key, "update") && value &&
 +	    parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
 +		data->ret |= report(data->options, data->obj,
 +				    FSCK_MSG_GITMODULES_UPDATE,
 +				    "disallowed submodule update setting: %s",
 +				    value);
  	free(name);

  	return 0;
 diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh
 index 778352e313..ad7d8fa69e 100755
 --- a/t/t7406-submodule-update.sh
 +++ b/t/t7406-submodule-update.sh
 @@ -415,6 +415,20 @@ test_expect_success 'submodule update - command in .gitmodules is rejected' '
  	test_must_fail git -C super submodule update submodule
  '

 +test_expect_success 'fsck detects command in .gitmodules' '
 +	git init command-in-gitmodules &&
 +	(
 +		cd command-in-gitmodules &&
 +		git submodule add ../submodule submodule &&
 +		test_commit adding-submodule &&
 +
 +		git config -f .gitmodules submodule.submodule.update "!false" &&
 +		git add .gitmodules &&
 +		test_commit configuring-update &&
 +		test_must_fail git fsck
 +	)
 +'
 +
  cat << EOF >expect
  Execution of 'false $submodulesha1' failed in submodule path 'submodule'
  EOF
 --
 2.24.0.393.g34dc348eaf
	From 4fba32d885ad8016c96860b75262a3f377791940 Mon Sep 17 00:00:00 2001
	From: Jonathan Nieder <jrnieder@gmail.com>
	Date: Thu, 5 Dec 2019 01:30:43 -0800
	Subject: fsck: reject submodule.update = !command in .gitmodules

	This allows hosting providers to detect whether they are being used
	to attack users using malicious 'update = !command' settings in
	.gitmodules.

	Since ac1fbbda2013 (submodule: do not copy unknown update mode from
	.gitmodules, 2013-12-02), in normal cases such settings have been
	treated as 'update = none', so forbidding them should not produce any
	collateral damage to legitimate uses. A quick search does not reveal
	any repositories making use of this construct, either.

	Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
	(cherry picked from commit bb92255ebe6bccd76227e023d6d0bc997e318ad0)
	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	---
	fsck.c \| 7 +++++++
	t/t7406-submodule-update.sh \| 14 ++++++++++++++
	2 files changed, 21 insertions(+)

	diff --git a/fsck.c b/fsck.c
	index b0526dd2b6..535f806c67 100644
	--- a/fsck.c
	+++ b/fsck.c
	@@ -68,6 +68,7 @@ static struct oidset gitmodules_done = OIDSET_INIT;
	FUNC(GITMODULES_SYMLINK, ERROR) \
	FUNC(GITMODULES_URL, ERROR) \
	FUNC(GITMODULES_PATH, ERROR) \
	+ FUNC(GITMODULES_UPDATE, ERROR) \
	/* warnings */ \
	FUNC(BAD_FILEMODE, WARN) \
	FUNC(EMPTY_NAME, WARN) \
	@@ -1016,6 +1017,12 @@ static int fsck_gitmodules_fn(const char var, const char value, void *vdata)
	FSCK_MSG_GITMODULES_PATH,
	"disallowed submodule path: %s",
	value);
	+ if (!strcmp(key, "update") && value &&
	+ parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
	+ data->ret \|= report(data->options, data->obj,
	+ FSCK_MSG_GITMODULES_UPDATE,
	+ "disallowed submodule update setting: %s",
	+ value);
	free(name);

	return 0;
	diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh
	index 778352e313..ad7d8fa69e 100755
	--- a/t/t7406-submodule-update.sh
	+++ b/t/t7406-submodule-update.sh
	@@ -415,6 +415,20 @@ test_expect_success 'submodule update - command in .gitmodules is rejected' '
	test_must_fail git -C super submodule update submodule
	'

	+test_expect_success 'fsck detects command in .gitmodules' '
	+ git init command-in-gitmodules &&
	+ (
	+ cd command-in-gitmodules &&
	+ git submodule add ../submodule submodule &&
	+ test_commit adding-submodule &&
	+
	+ git config -f .gitmodules submodule.submodule.update "!false" &&
	+ git add .gitmodules &&
	+ test_commit configuring-update &&
	+ test_must_fail git fsck
	+ )
	+'
	+
	cat << EOF >expect
	Execution of 'false $submodulesha1' failed in submodule path 'submodule'
	EOF
	--
	2.24.0.393.g34dc348eaf