commit bb92255ebe6bccd76227e023d6d0bc997e318ad0
author Jonathan Nieder <jrnieder@gmail.com> Thu Dec 05 01:30:43 2019 -0800
committer Johannes Schindelin <johannes.schindelin@gmx.de> Fri Dec 06 16:27:38 2019 +0100
tree d506e15c7903457a57677942a619c07e36e0509e
parent bdfef0492cada3fb36f454804796bf12c79a7136

fsck: reject submodule.update = !command in .gitmodules

This allows hosting providers to detect whether they are being used
to attack users using malicious 'update = !command' settings in
.gitmodules.

Since ac1fbbda2013 (submodule: do not copy unknown update mode from
.gitmodules, 2013-12-02), in normal cases such settings have been
treated as 'update = none', so forbidding them should not produce any
collateral damage to legitimate uses.  A quick search does not reveal
any repositories making use of this construct, either.

Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

fsck.c

diff --git a/fsck.c b/fsck.c
index 2fc6bbc..0741e62 100644
--- a/fsck.c
+++ b/fsck.c
@@ -66,6 +66,7 @@ static struct oidset gitmodules_done = OIDSET_INIT;
 	FUNC(GITMODULES_SYMLINK, ERROR) \
 	FUNC(GITMODULES_URL, ERROR) \
 	FUNC(GITMODULES_PATH, ERROR) \
+	FUNC(GITMODULES_UPDATE, ERROR) \
 	/* warnings */ \
 	FUNC(BAD_FILEMODE, WARN) \
 	FUNC(EMPTY_NAME, WARN) \
@@ -975,6 +976,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
 				    FSCK_MSG_GITMODULES_PATH,
 				    "disallowed submodule path: %s",
 				    value);
+	if (!strcmp(key, "update") && value &&
+	    parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
+		data->ret |= report(data->options, data->obj,
+				    FSCK_MSG_GITMODULES_UPDATE,
+				    "disallowed submodule update setting: %s",
+				    value);
 	free(name);
 
 	return 0;