debian: apply security fixes from 2.24.1

[git/debian.git] / debian / patches / 0007-fast-import-disallow-feature-import-marks-by-default.diff

From 0f2f6c8e785da26652690cd79827742871950d14 Mon Sep 17 00:00:00 2001
From: Jeff King <peff@peff.net>
Date: Thu, 29 Aug 2019 15:08:42 -0400
Subject: fast-import: disallow "feature import-marks" by default

As with export-marks in the previous commit, import-marks can access the
filesystem. This is significantly less dangerous than export-marks
because it only involves reading from arbitrary paths, rather than
writing them. However, it could still be surprising and have security
implications (e.g., exfiltrating data from a service that accepts
fast-import streams).

Let's lump it (and its "if-exists" counterpart) in with export-marks,
and enable the in-stream version only if --allow-unsafe-features is set.

Signed-off-by: Jeff King <peff@peff.net>
(cherry picked from commit a52ed76142f6e8d993bb4c50938a408966eb2b7c)
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
---
 Documentation/git-fast-import.txt |  3 ++-
 fast-import.c                     |  2 ++
 t/t9300-fast-import.sh            | 22 +++++++++++++++++-----
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/Documentation/git-fast-import.txt b/Documentation/git-fast-import.txt
index a94b576d64..7889f95940 100644
--- a/Documentation/git-fast-import.txt
+++ b/Documentation/git-fast-import.txt
@@ -58,7 +58,8 @@ OPTIONS
        allowing fast-import to access the filesystem outside of the
        repository). These options are disabled by default, but can be
        allowed by providing this option on the command line.  This
-       currently impacts only the `feature export-marks` command.
+       currently impacts only the `export-marks`, `import-marks`, and
+       `import-marks-if-exists` feature commands.
 +
        Only enable this option if you trust the program generating the
        fast-import stream! This option is enabled automatically for
diff --git a/fast-import.c b/fast-import.c
index 1f4e4a0438..b8b65a801c 100644
--- a/fast-import.c
+++ b/fast-import.c
@@ -3262,8 +3262,10 @@ static int parse_one_feature(const char *feature, int from_stream)
        if (skip_prefix(feature, "date-format=", &arg)) {
                option_date_format(arg);
        } else if (skip_prefix(feature, "import-marks=", &arg)) {
+               check_unsafe_feature("import-marks", from_stream);
                option_import_marks(arg, from_stream, 0);
        } else if (skip_prefix(feature, "import-marks-if-exists=", &arg)) {
+               check_unsafe_feature("import-marks-if-exists", from_stream);
                option_import_marks(arg, from_stream, 1);
        } else if (skip_prefix(feature, "export-marks=", &arg)) {
                check_unsafe_feature(feature, from_stream);
diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh
index b65555750f..17bb6dccbd 100755
--- a/t/t9300-fast-import.sh
+++ b/t/t9300-fast-import.sh
@@ -2143,6 +2143,14 @@ test_expect_success 'R: abort on receiving feature after data command' '
        test_must_fail git fast-import <input
 '
 
+test_expect_success 'R: import-marks features forbidden by default' '
+       >git.marks &&
+       echo "feature import-marks=git.marks" >input &&
+       test_must_fail git fast-import <input &&
+       echo "feature import-marks-if-exists=git.marks" >input &&
+       test_must_fail git fast-import <input
+'
+
 test_expect_success 'R: only one import-marks feature allowed per stream' '
        >git.marks &&
        >git2.marks &&
@@ -2151,7 +2159,7 @@ test_expect_success 'R: only one import-marks feature allowed per stream' '
        feature import-marks=git2.marks
        EOF
 
-       test_must_fail git fast-import <input
+       test_must_fail git fast-import --allow-unsafe-features <input
 '
 
 test_expect_success 'R: export-marks feature forbidden by default' '
@@ -2246,7 +2254,8 @@ test_expect_success 'R: --import-marks-if-exists' '
 test_expect_success 'R: feature import-marks-if-exists' '
        rm -f io.marks &&
 
-       git fast-import --export-marks=io.marks <<-\EOF &&
+       git fast-import --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=not_io.marks
        EOF
        test_must_be_empty io.marks &&
@@ -2257,7 +2266,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
        echo ":1 $blob" >expect &&
        echo ":2 $blob" >>expect &&
 
-       git fast-import --export-marks=io.marks <<-\EOF &&
+       git fast-import --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=io.marks
        blob
        mark :2
@@ -2270,7 +2280,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
        echo ":3 $blob" >>expect &&
 
        git fast-import --import-marks=io.marks \
-                       --export-marks=io.marks <<-\EOF &&
+                       --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=not_io.marks
        blob
        mark :3
@@ -2281,7 +2292,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
        test_cmp expect io.marks &&
 
        git fast-import --import-marks-if-exists=not_io.marks \
-                       --export-marks=io.marks <<-\EOF &&
+                       --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=io.marks
        EOF
        test_must_be_empty io.marks
-- 
2.24.0.393.g34dc348eaf