list mirror (unofficial, one of many)
 help / color / Atom feed
From: Ævar Arnfjörð Bjarmason  <>
Cc: Junio C Hamano <>, Jeff King <>,
	Ævar Arnfjörð Bjarmason  <>
Subject: [PATCH] fsckObjects tests: show how v2.17.1 can exploit downstream
Date: Tue, 29 May 2018 21:19:50 +0000
Message-ID: <> (raw)

Something that's known but not explicitly discussed in the v2.17.1
release notes, or tested for, is that v2.17.1 will still happily pass
on evil .gitmodules objects by default to vulnerable downstream

This could happen e.g. if an in-house git hosting site is mirroring a
remote repository that doesn't have transfer.fsckObjects turned on.
Someone can remotely push evil data to that remote hosting site
knowing that it's mirrored downstream, and the in-house mirror without
transfer.fsckObjects will happily pass those evil objects along, even
though it's been updated to v2.17.1.

It's worth testing for this explicitly. So let's amend the tests added
in 73c3f0f704 ("index-pack: check .gitmodules files with --strict",
2018-05-04) to show how this can result in a v2.17.1 client passing
along the evil objects.

Signed-off-by: Ævar Arnfjörð Bjarmason <>

I guess this test is technically a bit redundant, but I think it's
worth adding anyway since we're short in general on the subtle
semantics of how *.fsckObjects acts in various situations, and so
anyone reading the tests realizes that even a patched v2.17.1 can
still be fooled to collude with evil in its default configuration.

 t/ | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/t/ b/t/
index a770d92a55..f35f98e956 100755
--- a/t/
+++ b/t/
@@ -93,6 +93,15 @@ test_expect_success 'transfer.fsckObjects detects evil superproject (index)' '
 	test_must_fail git push dst.git HEAD
+test_expect_success 'transfer.fsckObjects needs to be on to protect downstream' '
+	git init --bare intermediary.git &&
+	git -C intermediary.git config transfer.fsckObjects false &&
+	git -C intermediary.git fetch ../ master:master &&
+	git init --bare downstream.git &&
+	git -C downstream.git fetch ../intermediary.git &&
+	test_must_fail git -C downstream.git fsck
 # Normally our packs contain commits followed by trees followed by blobs. This
 # reverses the order, which requires backtracking to find the context of a
 # blob. We'll start with a fresh gitmodules-only tree to make it simpler.

             reply index

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-29 21:19 Ævar Arnfjörð Bjarmason [this message]
2018-05-29 21:24 ` Jeff King
2018-05-29 21:59   ` Ævar Arnfjörð Bjarmason
2018-05-30  2:57     ` Junio C Hamano
2018-05-31  5:54     ` Jeff King
2018-05-31  6:52       ` Ævar Arnfjörð Bjarmason
2018-05-30  1:32   ` Junio C Hamano
2018-05-31  6:02     ` Jeff King
2018-06-01  1:42       ` Junio C Hamano
2018-06-01  5:57         ` Jeff King

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link list mirror (unofficial, one of many)

Archives are clonable:
	git clone --mirror
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

Newsgroups are available over NNTP:

 note: .onion URLs require Tor:
       or Tor2web:

AGPL code for this site: git clone public-inbox