Sanitize and Escape refs in git backend #21464
Conversation
This comment was marked as off-topic.
This comment was marked as off-topic.
GiteaBot
added
the
lgtm/need 2
GiteaBot
added
lgtm/need 1
GiteaBot
added
lgtm/done
6543
changed the title
6543
added
the
topic/security
|
As I said on the previous PR - I think we could have just prefixed any initial Is the purpose of the panic is to detect any code that isn't checking this stuff properly? |
|
I was thinking so, to make the error more obvious. Then, the behavior has been changed to return an error, in next PR #21465 |
I would say this approach is wrong, do not guess or assume anything. |
if it's well defined what will happen it's not a guess or an assumption. |
|
This PR is just a quick patch for the reported problem. I haven't read all git commands to see that all user-provided input is a branch/commit-id, etc, I highly doubt it would be either. So for the first step I think it's fine to resolve the problems first (no normal user would submit a name with leading slash), and the AddDynamicArguments could be a general (not perfect) method to be used for some quick fixes. For next step, IMO every git command caller should take care of the argument escaping, but not by the AddArgument family -- it's too late. The work by AddArgument family do not have the context and could only "guess" what the argument is. |
|
And one more thing, as long as every git command caller can escape the argument correctly, AddDynamicArguments will never report any error. |
|
This fix the issues, improve can follow |
|
--> Refactor git command arguments and make all arguments is safe to be used #21535 |
This PR doesn't require new git version, and can be backported easily.
followup of #21462