Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gitutils: add validation for ref (CVE-2019-13139) #38944

Merged
merged 1 commit into from Mar 27, 2019

Conversation

@andrewhsu
Copy link
Contributor

commented Mar 26, 2019

From a fix that @tonistiigi created, this PR adds validation for git ref so it can't be misinterpreted as a flag. fetch -- is a cleaner option but as it is theoretically possible to also hit it in checkout there's a custom validation as well.

Thanks to @staaldraad for pointing this issue out originally.

cc @justincormack

gitutils: add validation for ref
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
@thaJeztah
Copy link
Member

left a comment

LGTM

@codecov

This comment has been minimized.

Copy link

commented Mar 27, 2019

Codecov Report

❗️ No coverage uploaded for pull request base (master@639880e). Click here to learn what that means.
The diff coverage is 100%.

@@            Coverage Diff            @@
##             master   #38944   +/-   ##
=========================================
  Coverage          ?    36.9%           
=========================================
  Files             ?      614           
  Lines             ?    45404           
  Branches          ?        0           
=========================================
  Hits              ?    16757           
  Misses            ?    26357           
  Partials          ?     2290

@thaJeztah thaJeztah merged commit be7ac8b into moby:master Mar 27, 2019

9 checks passed

codecov/patch 100% of diff hit (target 50%)
Details
codecov/project No report found to compare against
Details
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 44614 has succeeded
Details
janky Jenkins build Docker-PRs 53446 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 13814 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 24577 has succeeded
Details
windowsRS5-process Jenkins build Docker-PRs-WoW-RS5-Process 1903 has succeeded
Details
z Jenkins build Docker-PRs-s390x 13708 has succeeded
Details
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Mar 27, 2019
bump engine 200b524eff60a9c95a22bc2518042ac2ff617d07 (18.09 branch)
relevant changes;

- moby/moby#38006 / docker/engine#114 client: use io.LimitedReader for reading HTTP error
- moby/moby#38634 / docker/engine#167 pkg/archive:CopyTo(): fix for long dest filename
  - fixes docker/for-linux#484 for 18.09
- moby/moby#38944 / docker/engine#183 gitutils: add validation for ref
- moby/moby#37780 / docker/engine#55 pkg/progress: work around closing closed channel panic
  - addresses moby/moby#/37735 pkg/progress: panic due to race on shutdown

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

@andrewhsu andrewhsu deleted the andrewhsu:gitutils branch Mar 27, 2019

docker-jenkins pushed a commit to docker/docker-ce that referenced this pull request Mar 27, 2019
bump engine 200b524eff60a9c95a22bc2518042ac2ff617d07 (18.09 branch)
relevant changes;

- moby/moby#38006 / docker/engine#114 client: use io.LimitedReader for reading HTTP error
- moby/moby#38634 / docker/engine#167 pkg/archive:CopyTo(): fix for long dest filename
  - fixes docker/for-linux#484 for 18.09
- moby/moby#38944 / docker/engine#183 gitutils: add validation for ref
- moby/moby#37780 / docker/engine#55 pkg/progress: work around closing closed channel panic
  - addresses moby/moby#/37735 pkg/progress: panic due to race on shutdown

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 010c234a0d5a03d450ebec60be37dd9f279feeca
Component: cli

@thaJeztah thaJeztah changed the title gitutils: add validation for ref gitutils: add validation for ref (CVE-2019-13139) Jul 15, 2019

@staaldraad

This comment has been minimized.

Copy link

commented Jul 15, 2019

For reference

I requested a CVE and CVE-2019-13139 has been reserved for this issue.

@thaJeztah

This comment has been minimized.

Copy link
Member

commented Jul 15, 2019

@staaldraad thanks! I got notified of the CVE, so updated the titles of all the related PR's to include it 👍

We should probably update the release notes as well; https://github.com/docker/docker.github.io/blob/master/engine/release-notes.md#18094

Let me know if you're interested in opening a pull request in that repository, or if you want me to do so

@staaldraad

This comment has been minimized.

Copy link

commented Jul 15, 2019

Thanks @thaJeztah 🎉

I've opened a PR -- wanted to tag you in as reviewer but it seems like labels and reviewers aren't available to non-project members

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.