From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: git@vger.kernel.org
Cc: "Junio C Hamano" <gitster@pobox.com>, "Jeff King" <peff@peff.net>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Subject: [PATCH] fsckObjects tests: show how v2.17.1 can exploit downstream
Date: Tue, 29 May 2018 21:19:50 +0000 [thread overview]
Message-ID: <20180529211950.26896-1-avarab@gmail.com> (raw)
Something that's known but not explicitly discussed in the v2.17.1
release notes, or tested for, is that v2.17.1 will still happily pass
on evil .gitmodules objects by default to vulnerable downstream
clients.
This could happen e.g. if an in-house git hosting site is mirroring a
remote repository that doesn't have transfer.fsckObjects turned on.
Someone can remotely push evil data to that remote hosting site
knowing that it's mirrored downstream, and the in-house mirror without
transfer.fsckObjects will happily pass those evil objects along, even
though it's been updated to v2.17.1.
It's worth testing for this explicitly. So let's amend the tests added
in 73c3f0f704 ("index-pack: check .gitmodules files with --strict",
2018-05-04) to show how this can result in a v2.17.1 client passing
along the evil objects.
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
---
I guess this test is technically a bit redundant, but I think it's
worth adding anyway since we're short in general on the subtle
semantics of how *.fsckObjects acts in various situations, and so
anyone reading the tests realizes that even a patched v2.17.1 can
still be fooled to collude with evil in its default configuration.
t/t7415-submodule-names.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
index a770d92a55..f35f98e956 100755
--- a/t/t7415-submodule-names.sh
+++ b/t/t7415-submodule-names.sh
@@ -93,6 +93,15 @@ test_expect_success 'transfer.fsckObjects detects evil superproject (index)' '
test_must_fail git push dst.git HEAD
'
+test_expect_success 'transfer.fsckObjects needs to be on to protect downstream' '
+ git init --bare intermediary.git &&
+ git -C intermediary.git config transfer.fsckObjects false &&
+ git -C intermediary.git fetch ../ master:master &&
+ git init --bare downstream.git &&
+ git -C downstream.git fetch ../intermediary.git &&
+ test_must_fail git -C downstream.git fsck
+'
+
# Normally our packs contain commits followed by trees followed by blobs. This
# reverses the order, which requires backtracking to find the context of a
# blob. We'll start with a fresh gitmodules-only tree to make it simpler.
--
2.17.0.290.gded63e768a
next reply other threads:[~2018-05-29 21:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 21:19 Ævar Arnfjörð Bjarmason [this message]
2018-05-29 21:24 ` [PATCH] fsckObjects tests: show how v2.17.1 can exploit downstream Jeff King
2018-05-29 21:59 ` Ævar Arnfjörð Bjarmason
2018-05-30 2:57 ` Junio C Hamano
2018-05-31 5:54 ` Jeff King
2018-05-31 6:52 ` Ævar Arnfjörð Bjarmason
2018-05-30 1:32 ` Junio C Hamano
2018-05-31 6:02 ` Jeff King
2018-06-01 1:42 ` Junio C Hamano
2018-06-01 5:57 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180529211950.26896-1-avarab@gmail.com \
--to=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).