thodg/libgit2/tests/submodule/escape.c
-
Show log
Commit
-
Hash : f77e40a1
Author :
Date : 2018-04-30T13:47:15
submodule: ignore submodules which include path traversal in their name If the we decide that the "name" of the submodule (i.e. its path inside `.git/modules/`) is trying to escape that directory or otherwise trick us, we ignore the configuration for that submodule. This leaves us with a half-configured submodule when looking it up by path, but it's the same result as if the configuration really were missing. The name check is potentially more strict than it needs to be, but it lets us re-use the check we're doing for the checkout. The function that encapsulates this logic is ready to be exported but we don't want to do that in a security release so it remains internal for now.
-
tests/submodule/escape.c
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
#include "clar_libgit2.h" #include "posix.h" #include "path.h" #include "submodule_helpers.h" #include "fileops.h" #include "repository.h" static git_repository *g_repo = NULL; void test_submodule_escape__cleanup(void) { cl_git_sandbox_cleanup(); } #define EVIL_SM_NAME "../../modules/evil" #define EVIL_SM_NAME_WINDOWS "..\\\\..\\\\modules\\\\evil" #define EVIL_SM_NAME_WINDOWS_UNESC "..\\..\\modules\\evil" static int find_evil(git_submodule *sm, const char *name, void *payload) { int *foundit = (int *) payload; GIT_UNUSED(sm); if (!git__strcmp(EVIL_SM_NAME, name) || !git__strcmp(EVIL_SM_NAME_WINDOWS_UNESC, name)) *foundit = true; return 0; } void test_submodule_escape__from_gitdir(void) { int foundit; git_submodule *sm; git_buf buf = GIT_BUF_INIT; unsigned int sm_location; g_repo = setup_fixture_submodule_simple(); cl_git_pass(git_buf_joinpath(&buf, git_repository_workdir(g_repo), ".gitmodules")); cl_git_rewritefile(buf.ptr, "[submodule \"" EVIL_SM_NAME "\"]\n" " path = testrepo\n" " url = ../testrepo.git\n"); /* Find it all the different ways we know about it */ foundit = 0; cl_git_pass(git_submodule_foreach(g_repo, find_evil, &foundit)); cl_assert_equal_i(0, foundit); cl_git_fail_with(GIT_ENOTFOUND, git_submodule_lookup(&sm, g_repo, EVIL_SM_NAME)); /* * We do know about this as it's in the index and HEAD, but the data is * incomplete as there is no configured data for it (we pretend it * doesn't exist). This leaves us with an odd situation but it's * consistent with what we would do if we did add a submodule with no * configuration. */ cl_git_pass(git_submodule_lookup(&sm, g_repo, "testrepo")); cl_git_pass(git_submodule_location(&sm_location, sm)); cl_assert_equal_i(GIT_SUBMODULE_STATUS_IN_INDEX | GIT_SUBMODULE_STATUS_IN_HEAD, sm_location); git_submodule_free(sm); } void test_submodule_escape__from_gitdir_windows(void) { int foundit; git_submodule *sm; git_buf buf = GIT_BUF_INIT; unsigned int sm_location; g_repo = setup_fixture_submodule_simple(); cl_git_pass(git_buf_joinpath(&buf, git_repository_workdir(g_repo), ".gitmodules")); cl_git_rewritefile(buf.ptr, "[submodule \"" EVIL_SM_NAME_WINDOWS "\"]\n" " path = testrepo\n" " url = ../testrepo.git\n"); /* Find it all the different ways we know about it */ foundit = 0; cl_git_pass(git_submodule_foreach(g_repo, find_evil, &foundit)); cl_assert_equal_i(0, foundit); cl_git_fail_with(GIT_ENOTFOUND, git_submodule_lookup(&sm, g_repo, EVIL_SM_NAME_WINDOWS_UNESC)); /* * We do know about this as it's in the index and HEAD, but the data is * incomplete as there is no configured data for it (we pretend it * doesn't exist). This leaves us with an odd situation but it's * consistent with what we would do if we did add a submodule with no * configuration. */ cl_git_pass(git_submodule_lookup(&sm, g_repo, "testrepo")); cl_git_pass(git_submodule_location(&sm_location, sm)); cl_assert_equal_i(GIT_SUBMODULE_STATUS_IN_INDEX | GIT_SUBMODULE_STATUS_IN_HEAD, sm_location); git_submodule_free(sm); }