Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport fixes for CVE 2018-11235 #4659

Merged
merged 22 commits into from
May 29, 2018
Merged

Backport fixes for CVE 2018-11235 #4659

merged 22 commits into from
May 29, 2018

Conversation

ethomson
Copy link
Member

@ethomson ethomson commented May 29, 2018
edited
Loading

Backporting @carlosmn's fixes so that we can do an 0.27.1 security release. Thanks @carlosmn and @pks-t for the work.

carlosmn and others added 21 commits May 29, 2018 13:44
@carlosmn @pks-t
submodule: add a failing test for a submodule escaping .git/modules
6442f1f 
We should pretend such submdules do not exist as it can lead to RCE.
@carlosmn @pks-t
submodule: ignore submodules which include path traversal in their name
e6c757a 
If the we decide that the "name" of the submodule (i.e. its path inside
`.git/modules/`) is trying to escape that directory or otherwise trick us, we
ignore the configuration for that submodule.

This leaves us with a half-configured submodule when looking it up by path, but
it's the same result as if the configuration really were missing.

The name check is potentially more strict than it needs to be, but it lets us
re-use the check we're doing for the checkout. The function that encapsulates
this logic is ready to be exported but we don't want to do that in a security
release so it remains internal for now.
@carlosmn @pks-t
submodule: also validate Windows-separated paths for validity
916af8e 
Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to
protect Windows users.

Ideally we would check for both separators without the need for the copied
string, but this'll get us over the RCE.
@carlosmn @pks-t
path: provide a generic dogit checking function for HFS
37dc60b 
This lets us check for other kinds of reserved files.
@carlosmn @pks-t
path: provide a generic function for checking dogit files on NTFS
dd364dd 
It checks against the 8.3 shortname variants, including the one which includes
the checksum as part of its name.
@carlosmn @pks-t
path: add a function to detect an .gitmodules file
26b3cec 
Given a path component it knows what to pass to the filesystem-specific
functions so we're protected even from trees which try to use the 8.3 naming
rules to get around us matching on the filename exactly.

The logic and test strings come from the equivalent git change.
@carlosmn @pks-t
path: add functions to detect .gitconfig and .gitattributes
0cc1462
@carlosmn @pks-t
path: hide the dotgit file functions
f907a6f 
These can't go into the public API yet as we don't want to introduce API or ABI
changes in a security release.
@carlosmn @pks-t
path: expose dotgit detection functions per filesystem
d7ee21e 
These will be used by the checkout code to detect them for the particular
filesystem they're on.
@carlosmn @pks-t
checkout: add a failing test for refusing a symlinked .gitmodules
ed357be 
We want to reject these as they cause compatibility issues and can lead to git
writing to files outside of the repository.
@carlosmn @pks-t
path: accept the name length as a parameter
c7cac08 
We may take in names from the middle of a string so we want the caller to let us
know how long the path component is that we should be checking.
@carlosmn @pks-t
index: stat before creating the entry
08d4b45 
This is so we have it available for the path validity checking. In a later
commit we will start rejecting `.gitmodules` files as symlinks.
@carlosmn @pks-t
path: reject .gitmodules as a symlink
aa00355 
Any part of the library which asks the question can pass in the mode to have it
checked against `.gitmodules` being a symlink.

This is particularly relevant for adding entries to the index from the worktree
and for checking out files.
@carlosmn @pks-t
checkout: change symlinked .gitmodules file test to expect failure
be20626 
When dealing with `core.proectNTFS` and `core.protectHFS` we do check
against `.gitmodules` but we still have a failing test as the non-filesystem
codepath does not check for it.
@carlosmn @pks-t
path: check for a symlinked .gitmodules in fs-agnostic code
a9e6099 
We still compare case-insensitively to protect more thoroughly as we don't know
what specifics we'll see on the system and it's the behaviour from git.
@carlosmn @pks-t
submodule: the repostiory for _name_is_valid should not be const
a3df20c 
We might modify caches due to us trying to load the configuration to figure out
what kinds of filesystem protections we should have.
@carlosmn @pks-t
submodule: replace index with strchr which exists on Windows
f650153
@carlosmn @pks-t
submodule: plug leaks from the escape detection
cfed1be
@carlosmn @pks-t
path: hand-code the zero-width joiner as UTF-8
ed95962
@pks-t
CHANGELOG: update for v0.27.1
78daf00
@pks-t @carlosmn
version: bump library version to 0.27.1
df53ce3
@ethomson
Copy link
Member Author

Thanks @pks-t for doing the backport.

@ethomson ethomson changed the title Backport fixes for CVE 2018-11234 and CVE 2018-11235 Backport fixes for CVE 2018-11235 May 29, 2018
@ethomson ethomson merged commit b0d9952 into maint/v0.27 May 29, 2018
@ethomson ethomson deleted the ethomson/submodule-0_27 branch May 29, 2018 18:06
@Therzok Therzok mentioned this pull request May 29, 2018
Closed
@snyk-bot snyk-bot mentioned this pull request Feb 23, 2020
Open
@snyk-bot snyk-bot mentioned this pull request Apr 22, 2020
Open
@snyk-bot snyk-bot mentioned this pull request May 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ethomson @carlosmn @pks-t