| From edfc470cc2894e9e0771571cb0d7fbf2d8ed995d Mon Sep 17 00:00:00 2001 |
| From: Jeff King <peff@peff.net> |
| Date: Thu, 29 Aug 2019 15:08:42 -0400 |
| Subject: fast-import: disallow "feature import-marks" by default |
| |
| commit a52ed76142f6e8d993bb4c50938a408966eb2b7c upstream. |
| |
| As with export-marks in the previous commit, import-marks can access the |
| filesystem. This is significantly less dangerous than export-marks |
| because it only involves reading from arbitrary paths, rather than |
| writing them. However, it could still be surprising and have security |
| implications (e.g., exfiltrating data from a service that accepts |
| fast-import streams). |
| |
| Let's lump it (and its "if-exists" counterpart) in with export-marks, |
| and enable the in-stream version only if --allow-unsafe-features is set. |
| |
| Signed-off-by: Jeff King <peff@peff.net> |
| Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> |
| --- |
| Documentation/git-fast-import.txt | 3 ++- |
| fast-import.c | 2 ++ |
| t/t9300-fast-import.sh | 22 +++++++++++++++++----- |
| 3 files changed, 21 insertions(+), 6 deletions(-) |
| |
| diff --git a/Documentation/git-fast-import.txt b/Documentation/git-fast-import.txt |
| index 55b4b203fb..221f679cb8 100644 |
| --- a/Documentation/git-fast-import.txt |
| +++ b/Documentation/git-fast-import.txt |
| @@ -57,7 +57,8 @@ OPTIONS |
| allowing fast-import to access the filesystem outside of the |
| repository). These options are disabled by default, but can be |
| allowed by providing this option on the command line. This |
| - currently impacts only the `feature export-marks` command. |
| + currently impacts only the `export-marks`, `import-marks`, and |
| + `import-marks-if-exists` feature commands. |
| + |
| Only enable this option if you trust the program generating the |
| fast-import stream! This option is enabled automatically for |
| diff --git a/fast-import.c b/fast-import.c |
| index 7ed61a9dad..61796517ac 100644 |
| --- a/fast-import.c |
| +++ b/fast-import.c |
| @@ -3337,8 +3337,10 @@ static int parse_one_feature(const char *feature, int from_stream) |
| if (skip_prefix(feature, "date-format=", &arg)) { |
| option_date_format(arg); |
| } else if (skip_prefix(feature, "import-marks=", &arg)) { |
| + check_unsafe_feature("import-marks", from_stream); |
| option_import_marks(arg, from_stream, 0); |
| } else if (skip_prefix(feature, "import-marks-if-exists=", &arg)) { |
| + check_unsafe_feature("import-marks-if-exists", from_stream); |
| option_import_marks(arg, from_stream, 1); |
| } else if (skip_prefix(feature, "export-marks=", &arg)) { |
| check_unsafe_feature(feature, from_stream); |
| diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh |
| index 30b7c8a1f6..f8771e2766 100755 |
| --- a/t/t9300-fast-import.sh |
| +++ b/t/t9300-fast-import.sh |
| @@ -2106,6 +2106,14 @@ test_expect_success 'R: abort on receiving feature after data command' ' |
| test_must_fail git fast-import <input |
| ' |
| |
| +test_expect_success 'R: import-marks features forbidden by default' ' |
| + >git.marks && |
| + echo "feature import-marks=git.marks" >input && |
| + test_must_fail git fast-import <input && |
| + echo "feature import-marks-if-exists=git.marks" >input && |
| + test_must_fail git fast-import <input |
| +' |
| + |
| test_expect_success 'R: only one import-marks feature allowed per stream' ' |
| >git.marks && |
| >git2.marks && |
| @@ -2114,7 +2122,7 @@ test_expect_success 'R: only one import-marks feature allowed per stream' ' |
| feature import-marks=git2.marks |
| EOF |
| |
| - test_must_fail git fast-import <input |
| + test_must_fail git fast-import --allow-unsafe-features <input |
| ' |
| |
| test_expect_success 'R: export-marks feature forbidden by default' ' |
| @@ -2210,7 +2218,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' |
| rm -f io.marks && |
| >expect && |
| |
| - git fast-import --export-marks=io.marks <<-\EOF && |
| + git fast-import --export-marks=io.marks \ |
| + --allow-unsafe-features <<-\EOF && |
| feature import-marks-if-exists=not_io.marks |
| EOF |
| test_cmp expect io.marks && |
| @@ -2221,7 +2230,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' |
| echo ":1 $blob" >expect && |
| echo ":2 $blob" >>expect && |
| |
| - git fast-import --export-marks=io.marks <<-\EOF && |
| + git fast-import --export-marks=io.marks \ |
| + --allow-unsafe-features <<-\EOF && |
| feature import-marks-if-exists=io.marks |
| blob |
| mark :2 |
| @@ -2234,7 +2244,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' |
| echo ":3 $blob" >>expect && |
| |
| git fast-import --import-marks=io.marks \ |
| - --export-marks=io.marks <<-\EOF && |
| + --export-marks=io.marks \ |
| + --allow-unsafe-features <<-\EOF && |
| feature import-marks-if-exists=not_io.marks |
| blob |
| mark :3 |
| @@ -2247,7 +2258,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' |
| >expect && |
| |
| git fast-import --import-marks-if-exists=not_io.marks \ |
| - --export-marks=io.marks <<-\EOF && |
| + --export-marks=io.marks \ |
| + --allow-unsafe-features <<-\EOF && |
| feature import-marks-if-exists=io.marks |
| EOF |
| test_cmp expect io.marks |
| -- |
| 2.24.0.393.g34dc348eaf |
| |