| commit | e8d0608944486019ea0e1ed2ed29776811a565c2 | |
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Tue, 26 Mar 2024 13:37:25 +0000 (26 14:37 +0100) | ||
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | |
| Wed, 17 Apr 2024 20:30:04 +0000 (17 22:30 +0200) | ||
| tree | 9dec3da0e9dbd56955d0a65f07016779986c88a3 | treesnapshot (tar.gz zip) |
| parent | eafffd9ad417bdf0a3c63e5276d5a18f563cd291 | commitdiff |
submodule: require the submodule path to contain directories only
Submodules are stored in subdirectories of their superproject. When
these subdirectories have been replaced with symlinks by a malicious
actor, all kinds of mayhem can be caused.
This _should_ not be possible, but many CVEs in the past showed that
_when_ possible, it allows attackers to slip in code that gets executed
during, say, a `git clone --recursive` operation.
Let's add some defense-in-depth to disallow submodule paths to have
anything except directories in them.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Submodules are stored in subdirectories of their superproject. When
these subdirectories have been replaced with symlinks by a malicious
actor, all kinds of mayhem can be caused.
This _should_ not be possible, but many CVEs in the past showed that
_when_ possible, it allows attackers to slip in code that gets executed
during, say, a `git clone --recursive` operation.
Let's add some defense-in-depth to disallow submodule paths to have
anything except directories in them.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| builtin/submodule--helper.c | diffblobblamehistory | |
| submodule.c | diffblobblamehistory | |
| submodule.h | diffblobblamehistory | |
| t/t7423-submodule-symlinks.sh | diffblobblamehistory |