debian/patches/0033-fsck-reject-submodule.update-command-in-.gitmodules.diff

   1 From baba202348a5f37844ea679e36be102fe87cfd06 Mon Sep 17 00:00:00 2001
   2 From: Jonathan Nieder <jrnieder@gmail.com>
   3 Date: Thu, 5 Dec 2019 01:30:43 -0800
   4 Subject: fsck: reject submodule.update = !command in .gitmodules
   5
   6 This allows hosting providers to detect whether they are being used
   7 to attack users using malicious 'update = !command' settings in
   8 .gitmodules.
   9
  10 Since ac1fbbda2013 (submodule: do not copy unknown update mode from
  11 .gitmodules, 2013-12-02), in normal cases such settings have been
  12 treated as 'update = none', so forbidding them should not produce any
  13 collateral damage to legitimate uses.  A quick search does not reveal
  14 any repositories making use of this construct, either.
  15
  16 Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
  17 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
  18 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
  19 (cherry picked from commit bb92255ebe6bccd76227e023d6d0bc997e318ad0)
  20 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
  21 ---
  22  fsck.c                      |  7 +++++++
  23  t/t7406-submodule-update.sh | 14 ++++++++++++++
  24  2 files changed, 21 insertions(+)
  25
  26 diff --git a/fsck.c b/fsck.c
  27 index 4faeeedf5d..ef8b343a72 100644
  28 --- a/fsck.c
  29 +++ b/fsck.c
  30 @@ -68,6 +68,7 @@ static struct oidset gitmodules_done = OIDSET_INIT;
  31         FUNC(GITMODULES_SYMLINK, ERROR) \
  32         FUNC(GITMODULES_URL, ERROR) \
  33         FUNC(GITMODULES_PATH, ERROR) \
  34 +       FUNC(GITMODULES_UPDATE, ERROR) \
  35         /* warnings */ \
  36         FUNC(BAD_FILEMODE, WARN) \
  37         FUNC(EMPTY_NAME, WARN) \
  38 @@ -981,6 +982,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
  39                                     FSCK_MSG_GITMODULES_PATH,
  40                                     "disallowed submodule path: %s",
  41                                     value);
  42 +       if (!strcmp(key, "update") && value &&
  43 +           parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
  44 +               data->ret |= report(data->options, data->obj,
  45 +                                   FSCK_MSG_GITMODULES_UPDATE,
  46 +                                   "disallowed submodule update setting: %s",
  47 +                                   value);
  48         free(name);
  49
  50         return 0;
  51 diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh
  52 index 425dc3ab8e..7478f7ab7e 100755
  53 --- a/t/t7406-submodule-update.sh
  54 +++ b/t/t7406-submodule-update.sh
  55 @@ -414,6 +414,20 @@ test_expect_success 'submodule update - command in .gitmodules is rejected' '
  56         test_must_fail git -C super submodule update submodule
  57  '
  58
  59 +test_expect_success 'fsck detects command in .gitmodules' '
  60 +       git init command-in-gitmodules &&
  61 +       (
  62 +               cd command-in-gitmodules &&
  63 +               git submodule add ../submodule submodule &&
  64 +               test_commit adding-submodule &&
  65 +
  66 +               git config -f .gitmodules submodule.submodule.update "!false" &&
  67 +               git add .gitmodules &&
  68 +               test_commit configuring-update &&
  69 +               test_must_fail git fsck
  70 +       )
  71 +'
  72 +
  73  cat << EOF >expect
  74  Execution of 'false $submodulesha1' failed in submodule path 'submodule'
  75  EOF
  76 --
  77 2.24.0.393.g34dc348eaf
  78