diff options
author | Jonathan Nieder <jrnieder@gmail.com> | 2019-12-05 10:30:43 +0100 |
---|---|---|
committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-12-06 16:27:38 +0100 |
commit | bb92255ebe6bccd76227e023d6d0bc997e318ad0 (patch) | |
tree | d506e15c7903457a57677942a619c07e36e0509e | |
parent | Sync with 2.16.6 (diff) | |
download | git-bb92255ebe6bccd76227e023d6d0bc997e318ad0.tar.xz git-bb92255ebe6bccd76227e023d6d0bc997e318ad0.zip |
fsck: reject submodule.update = !command in .gitmodules
This allows hosting providers to detect whether they are being used
to attack users using malicious 'update = !command' settings in
.gitmodules.
Since ac1fbbda2013 (submodule: do not copy unknown update mode from
.gitmodules, 2013-12-02), in normal cases such settings have been
treated as 'update = none', so forbidding them should not produce any
collateral damage to legitimate uses. A quick search does not reveal
any repositories making use of this construct, either.
Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-rw-r--r-- | fsck.c | 7 | ||||
-rwxr-xr-x | t/t7406-submodule-update.sh | 14 |
2 files changed, 21 insertions, 0 deletions
@@ -66,6 +66,7 @@ static struct oidset gitmodules_done = OIDSET_INIT; FUNC(GITMODULES_SYMLINK, ERROR) \ FUNC(GITMODULES_URL, ERROR) \ FUNC(GITMODULES_PATH, ERROR) \ + FUNC(GITMODULES_UPDATE, ERROR) \ /* warnings */ \ FUNC(BAD_FILEMODE, WARN) \ FUNC(EMPTY_NAME, WARN) \ @@ -975,6 +976,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata) FSCK_MSG_GITMODULES_PATH, "disallowed submodule path: %s", value); + if (!strcmp(key, "update") && value && + parse_submodule_update_type(value) == SM_UPDATE_COMMAND) + data->ret |= report(data->options, data->obj, + FSCK_MSG_GITMODULES_UPDATE, + "disallowed submodule update setting: %s", + value); free(name); return 0; diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh index 779932457a..ceb5eed6e1 100755 --- a/t/t7406-submodule-update.sh +++ b/t/t7406-submodule-update.sh @@ -414,6 +414,20 @@ test_expect_success 'submodule update - command in .gitmodules is rejected' ' test_must_fail git -C super submodule update submodule ' +test_expect_success 'fsck detects command in .gitmodules' ' + git init command-in-gitmodules && + ( + cd command-in-gitmodules && + git submodule add ../submodule submodule && + test_commit adding-submodule && + + git config -f .gitmodules submodule.submodule.update "!false" && + git add .gitmodules && + test_commit configuring-update && + test_must_fail git fsck + ) +' + cat << EOF >expect Execution of 'false $submodulesha1' failed in submodule path 'submodule' EOF |