3 test_description
='check broken or malicious patterns in .git* files
7 - presence of .. in submodule names;
8 Exercise the name-checking function on a variety of names, and then give a
9 real-world setup that confirms we catch this in practice.
11 - nested submodule names
13 - symlinked .gitmodules, etc
16 TEST_PASSES_SANITIZE_LEAK
=true
18 .
"$TEST_DIRECTORY"/lib-pack.sh
20 test_expect_success
'setup' '
21 git config --global protocol.file.allow always
24 test_expect_success
'check names' '
25 cat >expect <<-\EOF &&
30 test-tool submodule check-name >actual <<-\EOF &&
45 test_cmp expect actual
48 test_expect_success
'create innocent subrepo' '
50 git -C innocent commit --allow-empty -m foo
53 test_expect_success
'submodule add refuses invalid names' '
55 git submodule add --name ../../modules/evil "$PWD/innocent" evil
58 test_expect_success
'add evil submodule' '
59 git submodule add "$PWD/innocent" evil &&
62 cp -r .git/modules/evil modules &&
63 write_script modules/evil/hooks/post-checkout <<-\EOF &&
64 echo >&2 "RUNNING POST CHECKOUT"
67 git config -f .gitmodules submodule.evil.update checkout &&
68 git config -f .gitmodules --rename-section \
69 submodule.evil submodule.../../modules/evil &&
74 # This step seems like it shouldn't be necessary, since the payload is
75 # contained entirely in the evil submodule. But due to the vagaries of the
76 # submodule code, checking out the evil module will fail unless ".git/modules"
77 # exists. Adding another submodule (with a name that sorts before "evil") is an
78 # easy way to make sure this is the case in the victim clone.
79 test_expect_success
'add other submodule' '
80 git submodule add "$PWD/innocent" another-module &&
81 git add another-module &&
82 git commit -am another
85 test_expect_success
'clone evil superproject' '
86 git clone --recurse-submodules . victim >output 2>&1 &&
87 ! grep "RUNNING POST CHECKOUT" output
90 test_expect_success
'fsck detects evil superproject' '
91 test_must_fail git fsck
94 test_expect_success
'transfer.fsckObjects detects evil superproject (unpack)' '
96 git init --bare dst.git &&
97 git -C dst.git config transfer.fsckObjects true &&
98 test_must_fail git push dst.git HEAD
101 test_expect_success
'transfer.fsckObjects detects evil superproject (index)' '
103 git init --bare dst.git &&
104 git -C dst.git config transfer.fsckObjects true &&
105 git -C dst.git config transfer.unpackLimit 1 &&
106 test_must_fail git push dst.git HEAD
109 # Normally our packs contain commits followed by trees followed by blobs. This
110 # reverses the order, which requires backtracking to find the context of a
111 # blob. We'll start with a fresh gitmodules-only tree to make it simpler.
112 test_expect_success
'create oddly ordered pack' '
113 git checkout --orphan odd &&
114 git rm -rf --cached . &&
115 git add .gitmodules &&
119 pack_obj $(git rev-parse HEAD:.gitmodules) &&
120 pack_obj $(git rev-parse HEAD^{tree}) &&
121 pack_obj $(git rev-parse HEAD)
123 pack_trailer odd.pack
126 test_expect_success
'transfer.fsckObjects handles odd pack (unpack)' '
128 git init --bare dst.git &&
129 test_must_fail git -C dst.git unpack-objects --strict <odd.pack
132 test_expect_success
'transfer.fsckObjects handles odd pack (index)' '
134 git init --bare dst.git &&
135 test_must_fail git -C dst.git index-pack --strict --stdin <odd.pack
138 test_expect_success
'index-pack --strict works for non-repo pack' '
140 git init --bare dst.git &&
141 cp odd.pack dst.git &&
142 test_must_fail git -C dst.git index-pack --strict odd.pack 2>output &&
143 # Make sure we fail due to bad gitmodules content, not because we
144 # could not read the blob in the first place.
145 grep gitmodulesName output
148 check_dotx_symlink
() {
149 fsck_must_fail
=test_must_fail
164 dir
=symlink-
$name-$type
166 test_expect_success
"set up repo with symlinked $name ($type)" '
171 # Make the tree directly to avoid index restrictions.
173 # Because symlinks store the target as a blob, choose
174 # a pathname that could be parsed as a .gitmodules file
175 # to trick naive non-symlink-aware checking.
176 tricky="[foo]bar=true" &&
177 content=$(git hash-object -w ../.gitmodules) &&
178 target=$(printf "$tricky" | git hash-object -w --stdin) &&
180 printf "100644 blob $content\t$tricky\n" &&
181 printf "120000 blob $target\t$path\n"
184 tree=$(git -C $dir mktree <$dir/bad-tree)
187 test_expect_success
"fsck detects symlinked $name ($type)" '
191 # Check not only that we fail, but that it is due to the
193 $fsck_must_fail git fsck 2>output &&
194 grep "$fsck_prefix.*tree $tree: ${name}Symlink" output
198 test -n "$refuse_index" &&
199 test_expect_success
"refuse to load symlinked $name into index ($type)" '
202 -c core.protectntfs \
204 read-tree $tree 2>err &&
205 grep "invalid path.*$name" err &&
206 git -C $dir ls-files -s >out &&
207 test_must_be_empty out
211 check_dotx_symlink gitmodules vanilla .gitmodules
212 check_dotx_symlink gitmodules ntfs
".gitmodules ."
213 check_dotx_symlink gitmodules hfs
".${u200c}gitmodules"
215 check_dotx_symlink
--warning gitattributes vanilla .gitattributes
216 check_dotx_symlink
--warning gitattributes ntfs
".gitattributes ."
217 check_dotx_symlink
--warning gitattributes hfs
".${u200c}gitattributes"
219 check_dotx_symlink
--warning gitignore vanilla .gitignore
220 check_dotx_symlink
--warning gitignore ntfs
".gitignore ."
221 check_dotx_symlink
--warning gitignore hfs
".${u200c}gitignore"
223 check_dotx_symlink
--warning mailmap vanilla .mailmap
224 check_dotx_symlink
--warning mailmap ntfs
".mailmap ."
225 check_dotx_symlink
--warning mailmap hfs
".${u200c}mailmap"
227 test_expect_success
'fsck detects non-blob .gitmodules' '
232 # As above, make the funny tree directly to avoid index
235 cp ../.gitmodules subdir/file &&
236 git add subdir/file &&
238 git ls-tree HEAD | sed s/subdir/.gitmodules/ | git mktree &&
240 test_must_fail git fsck 2>output &&
241 test_i18ngrep gitmodulesBlob output
245 test_expect_success
'fsck detects corrupt .gitmodules' '
250 echo "[broken" >.gitmodules &&
251 git add .gitmodules &&
252 git commit -m "broken gitmodules" &&
255 test_i18ngrep gitmodulesParse output &&
256 test_i18ngrep ! "bad config" output
260 test_expect_success WINDOWS
'prevent git~1 squatting on Windows' '
261 git init squatting &&
268 git commit -m initial &&
270 modules="$(test_write_lines \
271 "[submodule \"b.\"]" "url = ." "path = c" \
272 "[submodule \"b\"]" "url = ." "path = d\\\\a" |
273 git hash-object -w --stdin)" &&
274 rev="$(git rev-parse --verify HEAD)" &&
275 hash="$(echo x | git hash-object -w --stdin)" &&
276 test_must_fail git update-index --add \
277 --cacheinfo 160000,$rev,d\\a 2>err &&
278 test_i18ngrep "Invalid path" err &&
279 git -c core.protectNTFS=false update-index --add \
280 --cacheinfo 100644,$modules,.gitmodules \
281 --cacheinfo 160000,$rev,c \
282 --cacheinfo 160000,$rev,d\\a \
283 --cacheinfo 100644,$hash,d./a/x \
284 --cacheinfo 100644,$hash,d./a/..git &&
286 git -c core.protectNTFS=false commit -m "module"
288 if test_have_prereq MINGW
290 test_must_fail git -c core.protectNTFS=false \
291 clone --recurse-submodules squatting squatting-clone 2>err &&
292 test_i18ngrep -e "directory not empty" -e "not an empty directory" err &&
293 ! grep gitdir squatting-clone/d/a/git~2
297 test_expect_success
'git dirs of sibling submodules must not be nested' '
299 test_commit -C nested nested &&
302 cat >.gitmodules <<-EOF &&
306 [submodule "hippo/hooks"]
310 git clone . thing1 &&
311 git clone . thing2 &&
312 git add .gitmodules thing1 thing2 &&
316 test_must_fail git clone --recurse-submodules nested clone 2>err &&
317 test_i18ngrep "is inside git dir" err