2024-01-28 03:29:33 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
test_description='check that local clone does not fetch from promisor remotes'
|
|
|
|
|
|
|
|
|
|
. ./test-lib.sh
|
|
|
|
|
|
|
|
|
|
test_expect_success 'create evil repo' '
|
|
|
|
|
git init tmp &&
|
|
|
|
|
test_commit -C tmp a &&
|
|
|
|
|
git -C tmp config uploadpack.allowfilter 1 &&
|
|
|
|
|
git clone --filter=blob:none --no-local --no-checkout tmp evil &&
|
|
|
|
|
rm -rf tmp &&
|
|
|
|
|
|
|
|
|
|
git -C evil config remote.origin.uploadpack \"\$TRASH_DIRECTORY/fake-upload-pack\" &&
|
|
|
|
|
write_script fake-upload-pack <<-\EOF &&
|
|
|
|
|
echo >&2 "fake-upload-pack running"
|
|
|
|
|
>"$TRASH_DIRECTORY/script-executed"
|
|
|
|
|
exit 1
|
|
|
|
|
EOF
|
|
|
|
|
export TRASH_DIRECTORY &&
|
|
|
|
|
|
|
|
|
|
# empty shallow file disables local clone optimization
|
|
|
|
|
>evil/.git/shallow
|
|
|
|
|
'
|
|
|
|
|
|
fetch/clone: detect dubious ownership of local repositories
When cloning from somebody else's repositories, it is possible that,
say, the `upload-pack` command is overridden in the repository that is
about to be cloned, which would then be run in the user's context who
started the clone.
To remind the user that this is a potentially unsafe operation, let's
extend the ownership checks we have already established for regular
gitdir discovery to extend also to local repositories that are about to
be cloned.
This protection extends also to file:// URLs.
The fixes in this commit address CVE-2024-32004.
Note: This commit does not touch the `fetch`/`clone` code directly, but
instead the function used implicitly by both: `enter_repo()`. This
function is also used by `git receive-pack` (i.e. pushes), by `git
upload-archive`, by `git daemon` and by `git http-backend`. In setups
that want to serve repositories owned by different users than the
account running the service, this will require `safe.*` settings to be
configured accordingly.
Also note: there are tiny time windows where a time-of-check-time-of-use
("TOCTOU") race is possible. The real solution to those would be to work
with `fstat()` and `openat()`. However, the latter function is not
available on Windows (and would have to be emulated with rather
expensive low-level `NtCreateFile()` calls), and the changes would be
quite extensive, for my taste too extensive for the little gain given
that embargoed releases need to pay extra attention to avoid introducing
inadvertent bugs.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2024-04-10 12:39:37 +00:00
|
|
|
test_expect_success 'local clone must not fetch from promisor remote and execute script' '
|
2024-01-28 03:29:33 +00:00
|
|
|
rm -f script-executed &&
|
|
|
|
|
test_must_fail git clone \
|
|
|
|
|
--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
|
|
|
|
|
evil clone1 2>err &&
|
|
|
|
|
! grep "fake-upload-pack running" err &&
|
|
|
|
|
test_path_is_missing script-executed
|
|
|
|
|
'
|
|
|
|
|
|
fetch/clone: detect dubious ownership of local repositories
When cloning from somebody else's repositories, it is possible that,
say, the `upload-pack` command is overridden in the repository that is
about to be cloned, which would then be run in the user's context who
started the clone.
To remind the user that this is a potentially unsafe operation, let's
extend the ownership checks we have already established for regular
gitdir discovery to extend also to local repositories that are about to
be cloned.
This protection extends also to file:// URLs.
The fixes in this commit address CVE-2024-32004.
Note: This commit does not touch the `fetch`/`clone` code directly, but
instead the function used implicitly by both: `enter_repo()`. This
function is also used by `git receive-pack` (i.e. pushes), by `git
upload-archive`, by `git daemon` and by `git http-backend`. In setups
that want to serve repositories owned by different users than the
account running the service, this will require `safe.*` settings to be
configured accordingly.
Also note: there are tiny time windows where a time-of-check-time-of-use
("TOCTOU") race is possible. The real solution to those would be to work
with `fstat()` and `openat()`. However, the latter function is not
available on Windows (and would have to be emulated with rather
expensive low-level `NtCreateFile()` calls), and the changes would be
quite extensive, for my taste too extensive for the little gain given
that embargoed releases need to pay extra attention to avoid introducing
inadvertent bugs.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2024-04-10 12:39:37 +00:00
|
|
|
test_expect_success 'clone from file://... must not fetch from promisor remote and execute script' '
|
2024-01-28 03:29:33 +00:00
|
|
|
rm -f script-executed &&
|
|
|
|
|
test_must_fail git clone \
|
|
|
|
|
--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
|
|
|
|
|
"file://$(pwd)/evil" clone2 2>err &&
|
|
|
|
|
! grep "fake-upload-pack running" err &&
|
|
|
|
|
test_path_is_missing script-executed
|
|
|
|
|
'
|
|
|
|
|
|
fetch/clone: detect dubious ownership of local repositories
When cloning from somebody else's repositories, it is possible that,
say, the `upload-pack` command is overridden in the repository that is
about to be cloned, which would then be run in the user's context who
started the clone.
To remind the user that this is a potentially unsafe operation, let's
extend the ownership checks we have already established for regular
gitdir discovery to extend also to local repositories that are about to
be cloned.
This protection extends also to file:// URLs.
The fixes in this commit address CVE-2024-32004.
Note: This commit does not touch the `fetch`/`clone` code directly, but
instead the function used implicitly by both: `enter_repo()`. This
function is also used by `git receive-pack` (i.e. pushes), by `git
upload-archive`, by `git daemon` and by `git http-backend`. In setups
that want to serve repositories owned by different users than the
account running the service, this will require `safe.*` settings to be
configured accordingly.
Also note: there are tiny time windows where a time-of-check-time-of-use
("TOCTOU") race is possible. The real solution to those would be to work
with `fstat()` and `openat()`. However, the latter function is not
available on Windows (and would have to be emulated with rather
expensive low-level `NtCreateFile()` calls), and the changes would be
quite extensive, for my taste too extensive for the little gain given
that embargoed releases need to pay extra attention to avoid introducing
inadvertent bugs.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2024-04-10 12:39:37 +00:00
|
|
|
test_expect_success 'fetch from file://... must not fetch from promisor remote and execute script' '
|
2024-01-28 03:29:33 +00:00
|
|
|
rm -f script-executed &&
|
|
|
|
|
test_must_fail git fetch \
|
|
|
|
|
--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
|
|
|
|
|
"file://$(pwd)/evil" 2>err &&
|
|
|
|
|
! grep "fake-upload-pack running" err &&
|
|
|
|
|
test_path_is_missing script-executed
|
|
|
|
|
'
|
|
|
|
|
|
|
|
|
|
test_expect_success 'pack-objects should fetch from promisor remote and execute script' '
|
|
|
|
|
rm -f script-executed &&
|
|
|
|
|
echo "HEAD" | test_must_fail git -C evil pack-objects --revs --stdout >/dev/null 2>err &&
|
|
|
|
|
grep "fake-upload-pack running" err &&
|
|
|
|
|
test_path_is_file script-executed
|
|
|
|
|
'
|
|
|
|
|
|
|
|
|
|
test_done
|