development/git
development/git
1
0
Fork 0
mirror of https://github.com/git/git synced 2024-10-02 14:45:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
git/builtin
History
Patrick Steinhardt 150e6b0aed builtin/clone: stop resolving symlinks when copying files 
When a user performs a local clone without `--no-local`, then we end up
copying the source repository into the target repository directly. To
optimize this even further, we try to hardlink files into place instead
of copying data over, which helps both disk usage and speed.

There is an important edge case in this context though, namely when we
try to hardlink symlinks from the source repository into the target
repository. Depending on both platform and filesystem the resulting
behaviour here can be different:

  - On macOS and NetBSD, calling link(3P) with a symlink target creates
    a hardlink to the file pointed to by the symlink.

  - On Linux, calling link(3P) instead creates a hardlink to the symlink
    itself.

To unify this behaviour, 36596fd2df (clone: better handle symlinked
files at .git/objects/, 2019-07-10) introduced logic to resolve symlinks
before we try to link(3P) files. Consequently, the new behaviour was to
always create a hard link to the target of the symlink on all platforms.

Eventually though, we figured out that following symlinks like this can
cause havoc when performing a local clone of a malicious repository,
which resulted in CVE-2022-39253. This issue was fixed via 6f054f9fb3
(builtin/clone.c: disallow `--local` clones with symlinks, 2022-07-28),
by refusing symlinks in the source repository.

But even though we now shouldn't ever link symlinks anymore, the code
that resolves symlinks still exists. In the best case the code does not
end up doing anything because there are no symlinks anymore. In the
worst case though this can be abused by an adversary that rewrites the
source file after it has been checked not to be a symlink such that it
actually is a symlink when we call link(3P). Thus, it is still possible
to recreate CVE-2022-39253 due to this time-of-check-time-of-use bug.

Remove the call to `realpath()`. This doesn't yet address the actual
vulnerability, which will be handled in a subsequent commit.

Reported-by: Apple Product Security <product-security@apple.com>
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2024-04-17 00:01:25 +02:00
..
add.c diff: mark unused parameters in callbacks 2022-12-13 22:16:23 +09:00
am.c Merge branch 'rs/am-parse-options-cleanup' into maint-2.39 2023-02-14 14:15:56 -08:00
annotate.c
apply.c
archive.c parse-options: PARSE_OPT_KEEP_UNKNOWN only applies to --options 2022-08-19 11:13:14 -07:00
bisect--helper.c Merge branch 'dd/bisect-helper-subcommand' 2022-11-23 11:22:22 +09:00
blame.c doc txt & -h consistency: make "annotate" consistent 2022-10-13 09:32:57 -07:00
branch.c Merge branch 'rj/branch-copy-and-rename' into maint-2.39 2023-02-14 14:15:55 -08:00
bugreport.c doc txt & -h consistency: fix mismatching labels 2022-10-13 09:32:56 -07:00
bundle.c Merge branch 'ab/bundle-wo-args' into maint-2.39 2023-02-14 14:15:50 -08:00
cat-file.c {builtin/*,repository}.c: add & use "USE_THE_INDEX_VARIABLE" 2022-11-21 12:06:15 +09:00
check-attr.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
check-ignore.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
check-mailmap.c
check-ref-format.c
checkout--worker.c
checkout-index.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
checkout.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
clean.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
clone.c builtin/clone: stop resolving symlinks when copying files 2024-04-17 00:01:25 +02:00
column.c
commit-graph.c Merge branch 'ab/doc-synopsis-and-cmd-usage' 2022-10-28 11:26:54 -07:00
commit-tree.c doc txt & -h consistency: add missing options 2022-10-13 09:32:57 -07:00
commit.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
config.c git-compat-util.h: use "UNUSED", not "UNUSED(var)" 2022-09-01 10:49:48 -07:00
count-objects.c
credential-cache--daemon.c doc txt & -h consistency: use "git foo" form, not "git-foo" 2022-10-13 09:32:57 -07:00
credential-cache.c
credential-store.c
credential.c
describe.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
diagnose.c Merge branch 'ab/doc-synopsis-and-cmd-usage' 2022-10-28 11:26:54 -07:00
diff-files.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
diff-index.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
diff-tree.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
diff.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
difftool.c {builtin/*,repository}.c: add & use "USE_THE_INDEX_VARIABLE" 2022-11-21 12:06:15 +09:00
env--helper.c parse-options: PARSE_OPT_KEEP_UNKNOWN only applies to --options 2022-08-19 11:13:14 -07:00
fast-export.c diff: mark unused parameters in callbacks 2022-12-13 22:16:23 +09:00
fast-import.c git-compat-util.h: use "UNUSED", not "UNUSED(var)" 2022-09-01 10:49:48 -07:00
fetch-pack.c list-objects-filter: add and use initializers 2022-09-12 08:38:59 -07:00
fetch.c Merge branch 'rs/no-more-run-command-v' 2022-11-08 17:15:12 -05:00
fmt-merge-msg.c
for-each-ref.c
for-each-repo.c for-each-repo: interpolate repo path arguments 2022-11-14 22:39:25 -05:00
fsck.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
fsmonitor--daemon.c Merge branch 'ah/fsmonitor-daemon-usage-non-l10n' into maint-2.38 2022-10-25 17:11:33 -07:00
gc.c Merge branch 'rp/maintenance-qol' 2022-11-23 11:22:24 +09:00
get-tar-commit-id.c
grep.c builtin/{grep,log}.: don't define "USE_THE_INDEX_COMPATIBILITY_MACROS" 2022-11-21 12:06:14 +09:00
hash-object.c doc txt & -h consistency: add missing options 2022-10-13 09:32:57 -07:00
help.c Merge branch 'ab/doc-synopsis-and-cmd-usage' 2022-10-28 11:26:54 -07:00
hook.c builtin/hook.c: let parse-options parse subcommands 2022-08-19 11:13:15 -07:00
index-pack.c
init-db.c doc txt & -h consistency: add missing options 2022-10-13 09:32:57 -07:00
interpret-trailers.c doc txt & -h consistency: add missing options 2022-10-13 09:32:57 -07:00
log.c builtin/{grep,log}.: don't define "USE_THE_INDEX_COMPATIBILITY_MACROS" 2022-11-21 12:06:14 +09:00
ls-files.c ls-files: fix black space in error message 2022-09-12 09:25:40 -07:00
ls-remote.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
ls-tree.c Merge branch 'rs/ls-tree-path-expansion-fix' into maint-2.39 2023-02-14 14:15:52 -08:00
mailinfo.c
mailsplit.c
merge-base.c doc txt & -h consistency: make output order consistent 2022-10-13 09:32:56 -07:00
merge-file.c
merge-index.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
merge-ours.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
merge-recursive.c
merge-tree.c diff: mark unused parameters in callbacks 2022-12-13 22:16:23 +09:00
merge.c diff: mark unused parameters in callbacks 2022-12-13 22:16:23 +09:00
mktag.c
mktree.c
multi-pack-index.c multi-pack-index: avoid writing to global in option callback 2022-10-06 09:56:51 -07:00
mv.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
name-rev.c git-compat-util.h: use "UNUSED", not "UNUSED(var)" 2022-09-01 10:49:48 -07:00
notes.c notes: avoid empty line in template 2022-11-16 14:57:32 -05:00
pack-objects.c Merge branch 'ab/doc-synopsis-and-cmd-usage' 2022-10-28 11:26:54 -07:00
pack-redundant.c doc txt & -h consistency: fix mismatching labels 2022-10-13 09:32:56 -07:00
pack-refs.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
patch-id.c builtin: patch-id: remove unused diff-tree prefix 2022-10-24 15:44:20 -07:00
prune-packed.c
prune.c prune: quiet ENOENT on missing directories 2022-11-21 15:58:54 +09:00
pull.c {builtin/*,repository}.c: add & use "USE_THE_INDEX_VARIABLE" 2022-11-21 12:06:15 +09:00
push.c Doc: document push.recurseSubmodules=only 2022-11-14 16:55:50 -05:00
range-diff.c range-diff: optionally accept pathspecs 2022-08-26 09:49:26 -07:00
read-tree.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
rebase.c Merge branch 'ab/fewer-the-index-macros' 2022-11-28 12:13:46 +09:00
receive-pack.c receive-pack: only use visible refs for connectivity check 2022-11-17 16:22:52 -05:00
reflog.c refs: unify parse_worktree_ref() and ref_type() 2022-09-19 11:11:11 -07:00
remote-ext.c
remote-fd.c
remote.c Merge branch 'rs/no-more-run-command-v' 2022-11-08 17:15:12 -05:00
repack.c Merge branch 'tb/repack-expire-to' 2022-11-18 18:43:09 -05:00
replace.c
rerere.c diff: mark unused parameters in callbacks 2022-12-13 22:16:23 +09:00
reset.c diff: mark unused parameters in callbacks 2022-12-13 22:16:23 +09:00
rev-list.c Merge branch 'ps/receive-use-only-advertised' 2022-11-23 11:22:25 +09:00
rev-parse.c Merge branch 'ab/fewer-the-index-macros' 2022-11-28 12:13:46 +09:00
revert.c i18n: fix command template placeholder format 2022-11-27 10:29:44 +09:00
rm.c Merge branch 'ab/fewer-the-index-macros' 2022-11-28 12:13:46 +09:00
send-pack.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
shortlog.c shortlog: implement --group=committer in terms of --group=<format> 2022-10-24 14:48:05 -07:00
show-branch.c Merge branch 'ab/doc-synopsis-and-cmd-usage' 2022-10-28 11:26:54 -07:00
show-index.c
show-ref.c Merge branch 'ab/doc-synopsis-and-cmd-usage' 2022-10-28 11:26:54 -07:00
sparse-checkout.c doc txt & -h consistency: use "<options>", not "<options>..." 2022-10-13 09:32:55 -07:00
stash.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
stripspace.c
submodule--helper.c diff: mark unused parameters in callbacks 2022-12-13 22:16:23 +09:00
symbolic-ref.c Merge branch 'ab/doc-synopsis-and-cmd-usage' 2022-10-28 11:26:54 -07:00
tag.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
unpack-file.c doc txt & -h consistency: fix mismatching labels 2022-10-13 09:32:56 -07:00
unpack-objects.c
update-index.c cocci: apply "pending" index-compatibility to some "builtin/*.c" 2022-11-21 12:06:15 +09:00
update-ref.c
update-server-info.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
upload-archive.c doc txt & -h consistency: fix mismatching labels 2022-10-13 09:32:56 -07:00
upload-pack.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
var.c
verify-commit.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
verify-pack.c doc txt & -h consistency: add or fix optional "--" syntax 2022-10-13 09:32:56 -07:00
verify-tag.c doc txt & -h consistency: add missing options and labels 2022-10-13 09:32:56 -07:00
worktree.c doc txt & -h consistency: make "worktree" consistent 2022-10-13 09:32:58 -07:00
write-tree.c