facebook/sapling
1
1
Fork 0
mirror of https://github.com/facebook/sapling.git synced 2024-10-07 15:27:13 +03:00
Code Issues Projects Releases Wiki Activity

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)

Browse Source 
CVE-2016-3068 (1/1)

Git's git-remote-ext remote helper provides an ext:: URL scheme that
allows running arbitrary shell commands. This feature allows
implementing simple git smart transports with a single shell shell
command. However, git submodules could clone arbitrary URLs specified
in the .gitmodules file. This was reported as CVE-2015-7545 and fixed
in git v2.6.1.

However, if a user directly clones a malicious ext URL, the git client
will still run arbitrary shell commands.

Mercurial is similarly effected. Mercurial allows specifying git
repositories as subrepositories. Git ext:: URLs can be specified as
Mercurial subrepositories allowing arbitrary shell commands to be run
on `hg clone ...`.


The Mercurial community would like to thank Blake Burkhart for
reporting this issue. The description of the issue is copied from
Blake's report.

This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env
variable to git commands  with the same list of allowed protocols that
git submodule is using.

When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it
to git without modifications.
This commit is contained in:
Mateusz Kwapich 2016-03-20 21:52:21 -07:00
parent b81aafc379
commit e1c4c54543
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
mercurial/subrepo.py
View File

@ -1383,6 +1383,11 @@ class gitsubrepo(abstractsubrepo):
are not supported and very probably fail. are not supported and very probably fail.
""" """
self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands))) self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))
if env is None:
env = os.environ.copy()
# fix for Git CVE-2015-7545
if 'GIT_ALLOW_PROTOCOL' not in env:
env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'
# unless ui.quiet is set, print git's stderr, # unless ui.quiet is set, print git's stderr,
# which is mostly progress and useful info # which is mostly progress and useful info
errpipe = None errpipe = None

32
tests/test-subrepo-git.t
View File

@ -1132,4 +1132,36 @@ make sure we show changed files, rather than changed subtrees
? s/foobar.orig ? s/foobar.orig
? s/snake.python.orig ? s/snake.python.orig
test for Git CVE-2016-3068
$ hg init malicious-subrepository
$ cd malicious-subrepository
$ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub
$ git init s
Initialized empty Git repository in $TESTTMP/tc/malicious-subrepository/s/.git/
$ cd s
$ git commit --allow-empty -m 'empty'
[master (root-commit) 153f934] empty
$ cd .. $ cd ..
$ hg add .hgsub
$ hg commit -m "add subrepo"
$ cd ..
$ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected
Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'...
fatal: transport 'ext' not allowed
updating to branch default
cloning subrepo s from ext::sh -c echo% pwned% >&2
abort: git clone error 128 in s (in subrepo s)
[255]
whitelisting of ext should be respected (that's the git submodule behaviour)
$ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed
Cloning into '$TESTTMP/tc/malicious-subrepository-clone-allowed/s'...
pwned
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
updating to branch default
cloning subrepo s from ext::sh -c echo% pwned% >&2
abort: git clone error 128 in s (in subrepo s)
[255]