mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
7e2fc39d8c02048e9dddcba1b1b6786a8088a1a8
git/t/t7450-bad-git-dotfiles.sh
Victoria Dye 7e2fc39d8c t7450: test submodule urls 
Add tests to 't7450-bad-git-dotfiles.sh' to check the validity of different
submodule URLs. To verify this directly (without setting up test
repositories & submodules), add a 'check-url' subcommand to 'test-tool
submodule' that calls 'check_submodule_url' in the same way that
'check-name' calls 'check_submodule_name'.

Add two tests to separately address cases where the URL check correctly
filters out invalid URLs and cases where the check misses invalid URLs. Mark
the latter ("url check misses invalid cases") with 'test_expect_failure' to
indicate that this is currently broken, which will be fixed in the next step.

Signed-off-by: Victoria Dye <vdye@github.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-01-19 10:15:34 -08:00

356 lines
9.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
test_description='check broken or malicious patterns in .git* files
Such as:
- presence of .. in submodule names;
Exercise the name-checking function on a variety of names, and then give a
real-world setup that confirms we catch this in practice.
- nested submodule names
- symlinked .gitmodules, etc
'
TEST_PASSES_SANITIZE_LEAK=true
. ./test-lib.sh
. "$TEST_DIRECTORY"/lib-pack.sh
test_expect_success 'setup' '
git config --global protocol.file.allow always
'
test_expect_success 'check names' '
cat >expect <<-\EOF &&
valid
valid/with/paths
EOF
test-tool submodule check-name >actual <<-\EOF &&
valid
valid/with/paths
../foo
/../foo
..\foo
\..\foo
foo/..
foo/../
foo\..
foo\..\
foo/../bar
EOF
test_cmp expect actual
'
test_expect_success 'check urls' '
cat >expect <<-\EOF &&
./bar/baz/foo.git
https://example.com/foo.git
http://example.com:80/deeper/foo.git
EOF
test-tool submodule check-url >actual <<-\EOF &&
./bar/baz/foo.git
https://example.com/foo.git
http://example.com:80/deeper/foo.git
-a./foo
../../..//test/foo.git
../../../../../:localhost:8080/foo.git
..\../.\../:example.com/foo.git
./%0ahost=example.com/foo.git
https://one.example.com/evil?%0ahost=two.example.com
https:///example.com/foo.git
https::example.com/foo.git
http:::example.com/foo.git
EOF
test_cmp expect actual
'
# NEEDSWORK: the URL checked here is not valid (and will not work as a remote if
# a user attempts to clone it), but the fsck check passes.
test_expect_failure 'url check misses invalid cases' '
test-tool submodule check-url >actual <<-\EOF &&
http://example.com:test/foo.git
EOF
test_must_be_empty actual
'
test_expect_success 'create innocent subrepo' '
git init innocent &&
git -C innocent commit --allow-empty -m foo
'
test_expect_success 'submodule add refuses invalid names' '
test_must_fail \
git submodule add --name ../../modules/evil "$PWD/innocent" evil
'
test_expect_success 'add evil submodule' '
git submodule add "$PWD/innocent" evil &&
mkdir modules &&
cp -r .git/modules/evil modules &&
write_script modules/evil/hooks/post-checkout <<-\EOF &&
echo >&2 "RUNNING POST CHECKOUT"
EOF
git config -f .gitmodules submodule.evil.update checkout &&
git config -f .gitmodules --rename-section \
submodule.evil submodule.../../modules/evil &&
git add modules &&
git commit -am evil
'
# This step seems like it shouldn't be necessary, since the payload is
# contained entirely in the evil submodule. But due to the vagaries of the
# submodule code, checking out the evil module will fail unless ".git/modules"
# exists. Adding another submodule (with a name that sorts before "evil") is an
# easy way to make sure this is the case in the victim clone.
test_expect_success 'add other submodule' '
git submodule add "$PWD/innocent" another-module &&
git add another-module &&
git commit -am another
'
test_expect_success 'clone evil superproject' '
git clone --recurse-submodules . victim >output 2>&1 &&
! grep "RUNNING POST CHECKOUT" output
'
test_expect_success 'fsck detects evil superproject' '
test_must_fail git fsck
'
test_expect_success 'transfer.fsckObjects detects evil superproject (unpack)' '
rm -rf dst.git &&
git init --bare dst.git &&
git -C dst.git config transfer.fsckObjects true &&
test_must_fail git push dst.git HEAD
'
test_expect_success 'transfer.fsckObjects detects evil superproject (index)' '
rm -rf dst.git &&
git init --bare dst.git &&
git -C dst.git config transfer.fsckObjects true &&
git -C dst.git config transfer.unpackLimit 1 &&
test_must_fail git push dst.git HEAD
'
# Normally our packs contain commits followed by trees followed by blobs. This
# reverses the order, which requires backtracking to find the context of a
# blob. We'll start with a fresh gitmodules-only tree to make it simpler.
test_expect_success 'create oddly ordered pack' '
git checkout --orphan odd &&
git rm -rf --cached . &&
git add .gitmodules &&
git commit -m odd &&
{
pack_header 3 &&
pack_obj $(git rev-parse HEAD:.gitmodules) &&
pack_obj $(git rev-parse HEAD^{tree}) &&
pack_obj $(git rev-parse HEAD)
} >odd.pack &&
pack_trailer odd.pack
'
test_expect_success 'transfer.fsckObjects handles odd pack (unpack)' '
rm -rf dst.git &&
git init --bare dst.git &&
test_must_fail git -C dst.git unpack-objects --strict <odd.pack
'
test_expect_success 'transfer.fsckObjects handles odd pack (index)' '
rm -rf dst.git &&
git init --bare dst.git &&
test_must_fail git -C dst.git index-pack --strict --stdin <odd.pack
'
test_expect_success 'index-pack --strict works for non-repo pack' '
rm -rf dst.git &&
git init --bare dst.git &&
cp odd.pack dst.git &&
test_must_fail git -C dst.git index-pack --strict odd.pack 2>output &&
# Make sure we fail due to bad gitmodules content, not because we
# could not read the blob in the first place.
grep gitmodulesName output
'
check_dotx_symlink () {
fsck_must_fail=test_must_fail
fsck_prefix=error
refuse_index=t
case "$1" in
--warning)
fsck_must_fail=
fsck_prefix=warning
refuse_index=
shift
;;
esac
name=$1
type=$2
path=$3
dir=symlink-$name-$type
test_expect_success "set up repo with symlinked $name ($type)" '
git init $dir &&
(
cd $dir &&
# Make the tree directly to avoid index restrictions.
#
# Because symlinks store the target as a blob, choose
# a pathname that could be parsed as a .gitmodules file
# to trick naive non-symlink-aware checking.
tricky="[foo]bar=true" &&
content=$(git hash-object -w ../.gitmodules) &&
target=$(printf "$tricky" | git hash-object -w --stdin) &&
{
printf "100644 blob $content\t$tricky\n" &&
printf "120000 blob $target\t$path\n"
} >bad-tree
) &&
tree=$(git -C $dir mktree <$dir/bad-tree)
'
test_expect_success "fsck detects symlinked $name ($type)" '
(
cd $dir &&
# Check not only that we fail, but that it is due to the
# symlink detector
$fsck_must_fail git fsck 2>output &&
grep "$fsck_prefix.*tree $tree: ${name}Symlink" output
)
'
test -n "$refuse_index" &&
test_expect_success "refuse to load symlinked $name into index ($type)" '
test_must_fail \
git -C $dir \
-c core.protectntfs \
-c core.protecthfs \
read-tree $tree 2>err &&
grep "invalid path.*$name" err &&
git -C $dir ls-files -s >out &&
test_must_be_empty out
'
}
check_dotx_symlink gitmodules vanilla .gitmodules
check_dotx_symlink gitmodules ntfs ".gitmodules ."
check_dotx_symlink gitmodules hfs ".${u200c}gitmodules"
check_dotx_symlink --warning gitattributes vanilla .gitattributes
check_dotx_symlink --warning gitattributes ntfs ".gitattributes ."
check_dotx_symlink --warning gitattributes hfs ".${u200c}gitattributes"
check_dotx_symlink --warning gitignore vanilla .gitignore
check_dotx_symlink --warning gitignore ntfs ".gitignore ."
check_dotx_symlink --warning gitignore hfs ".${u200c}gitignore"
check_dotx_symlink --warning mailmap vanilla .mailmap
check_dotx_symlink --warning mailmap ntfs ".mailmap ."
check_dotx_symlink --warning mailmap hfs ".${u200c}mailmap"
test_expect_success 'fsck detects non-blob .gitmodules' '
git init non-blob &&
(
cd non-blob &&
# As above, make the funny tree directly to avoid index
# restrictions.
mkdir subdir &&
cp ../.gitmodules subdir/file &&
git add subdir/file &&
git commit -m ok &&
git ls-tree HEAD | sed s/subdir/.gitmodules/ | git mktree &&
test_must_fail git fsck 2>output &&
test_grep gitmodulesBlob output
)
'
test_expect_success 'fsck detects corrupt .gitmodules' '
git init corrupt &&
(
cd corrupt &&
echo "[broken" >.gitmodules &&
git add .gitmodules &&
git commit -m "broken gitmodules" &&
git fsck 2>output &&
test_grep gitmodulesParse output &&
test_grep ! "bad config" output
)
'
test_expect_success WINDOWS 'prevent git~1 squatting on Windows' '
git init squatting &&
(
cd squatting &&
mkdir a &&
touch a/..git &&
git add a/..git &&
test_tick &&
git commit -m initial &&
modules="$(test_write_lines \
"[submodule \"b.\"]" "url = ." "path = c" \
"[submodule \"b\"]" "url = ." "path = d\\\\a" |
git hash-object -w --stdin)" &&
rev="$(git rev-parse --verify HEAD)" &&
hash="$(echo x | git hash-object -w --stdin)" &&
test_must_fail git update-index --add \
--cacheinfo 160000,$rev,d\\a 2>err &&
test_grep "Invalid path" err &&
git -c core.protectNTFS=false update-index --add \
--cacheinfo 100644,$modules,.gitmodules \
--cacheinfo 160000,$rev,c \
--cacheinfo 160000,$rev,d\\a \
--cacheinfo 100644,$hash,d./a/x \
--cacheinfo 100644,$hash,d./a/..git &&
test_tick &&
git -c core.protectNTFS=false commit -m "module"
) &&
if test_have_prereq MINGW
then
test_must_fail git -c core.protectNTFS=false \
clone --recurse-submodules squatting squatting-clone 2>err &&
test_grep -e "directory not empty" -e "not an empty directory" err &&
! grep gitdir squatting-clone/d/a/git~2
fi
'
test_expect_success 'git dirs of sibling submodules must not be nested' '
git init nested &&
test_commit -C nested nested &&
(
cd nested &&
cat >.gitmodules <<-EOF &&
[submodule "hippo"]
url = .
path = thing1
[submodule "hippo/hooks"]
url = .
path = thing2
EOF
git clone . thing1 &&
git clone . thing2 &&
git add .gitmodules thing1 thing2 &&
test_tick &&
git commit -m nested
) &&
test_must_fail git clone --recurse-submodules nested clone 2>err &&
test_grep "is inside git dir" err
'
test_done
Reference in New Issue View Git Blame Copy Permalink