[PATCH] osxkeychain: restrict queries to requests with a valid host

[PATCH] osxkeychain: restrict queries to requests with a valid host

[Carlo Marcelo Arenas Belón]

make sure that requests to this helper to get credentials return early if
there is no host ord the host is empty.

Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
---
 contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
index bcd3f575a3..2264a88c41 100644
--- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c
+++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
@@ -69,6 +69,12 @@ static void find_internet_password(void)
 	UInt32 len;
 	SecKeychainItemRef item;
 
+	/*
+	 * Require at valid host to fix CVE-2020-11008
+	 */
+	if (!host || !*host)
+		return;
+
 	if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
 		return;
 
-- 
2.26.2.111.gbff22aa583

Re: [PATCH] osxkeychain: restrict queries to requests with a valid host

[Junio C Hamano]

Carlo Marcelo Arenas Belón  <carenas@gmail.com> writes:

> make sure that requests to this helper to get credentials return early if
> there is no host ord the host is empty.
>
> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
> ---
>  contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> index bcd3f575a3..2264a88c41 100644
> --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> @@ -69,6 +69,12 @@ static void find_internet_password(void)
>  	UInt32 len;
>  	SecKeychainItemRef item;
>  
> +	/*
> +	 * Require at valid host to fix CVE-2020-11008
> +	 */

Just to clarify, you do not need this patch to "fix" it, as long as
you are running up-to-date Git, right?  In other words, this is more
like a belt-and-suspender protection, isn't it?

> +	if (!host || !*host)
> +		return;
> +
>  	if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
>  		return;

Re: [PATCH] osxkeychain: restrict queries to requests with a valid host

[Carlo Arenas]

On Mon, Apr 20, 2020 at 4:09 PM Junio C Hamano <gitster@pobox.com> wrote:
>
> Just to clarify, you do not need this patch to "fix" it, as long as
> you are running up-to-date Git, right?  In other words, this is more
> like a belt-and-suspender protection, isn't it?

the fixes in master do most of the work, but the way the underlying
macOS function
used works, will still randomly select a credential for cases where host=""

Carlo

Re: [PATCH] osxkeychain: restrict queries to requests with a valid host

[Junio C Hamano]

Carlo Arenas <carenas@gmail.com> writes:

> On Mon, Apr 20, 2020 at 4:09 PM Junio C Hamano <gitster@pobox.com> wrote:
>>
>> Just to clarify, you do not need this patch to "fix" it, as long as
>> you are running up-to-date Git, right?  In other words, this is more
>> like a belt-and-suspender protection, isn't it?
>
> the fixes in master do most of the work, but the way the underlying
> macOS function
> used works, will still randomly select a credential for cases where host=""

That is like saying "most of the work but as a protection it does
not work at all and still allows a random stuff to be chosen", no?

Re: [PATCH] osxkeychain: restrict queries to requests with a valid host

[Jonathan Nieder]

Hi!

Carlo Marcelo Arenas Belón wrote:

> make sure that requests to this helper to get credentials return early if
> there is no host ord the host is empty.
>
> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
> ---
>  contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++
>  1 file changed, 6 insertions(+)

We had mentioned while preparing v2.26.2 that after that release
hardening the git side of the credential helper protocol, we should
harden the helper side.  Thanks for getting it started.

[...]
> diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> index bcd3f575a3..2264a88c41 100644
> --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> @@ -69,6 +69,12 @@ static void find_internet_password(void)
>  	UInt32 len;
>  	SecKeychainItemRef item;
>  
> +	/*
> +	 * Require at valid host to fix CVE-2020-11008
> +	 */
> +	if (!host || !*host)
> +		return;

While we're here, is there any validation we should do for any of the
other parameters to SecKeychainFindInternetPassword (username, path,
port, protocol)?

Also, should we check for duplicate fields as in CVE-2020-5260?

> +
>  	if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
>  		return;

Thanks,
Jonathan

Re: [PATCH] osxkeychain: restrict queries to requests with a valid host

[Calvin Wan]

Carlo Marcelo Arenas Belón  <carenas@gmail.com> writes:
> make sure that requests to this helper to get credentials return early if
> there is no host ord the host is empty.
> 
> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
> ---
>  contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> index bcd3f575a3..2264a88c41 100644
> --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> @@ -69,6 +69,12 @@ static void find_internet_password(void)
>  	UInt32 len;
>  	SecKeychainItemRef item;
>  
> +	/*
> +	 * Require at valid host to fix CVE-2020-11008
> +	 */
> +	if (!host || !*host)
> +		return;
> +
>  	if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
>  		return;
>  
> -- 
> 2.26.2.111.gbff22aa583
> 

We're currently using this patch downstream (removed the check for
!*host after updates to this file), but I was wondering whether this
change should also be in main. It seems like the discussion around this
stalled and there was no definitive conclusion, but the change also at
worst does nothing and could possibly be useful -- I see other functions
where we're checking for the existence of "host". I wasn't around when
all the changes around this CVE were happening so I'm not exactly sure
how useful this patch this and whether we can get rid of it or not.

Re: [PATCH] osxkeychain: restrict queries to requests with a valid host

[Jeff King]

On Mon, Apr 22, 2024 at 07:48:12PM +0000, Calvin Wan wrote:

> > diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> > index bcd3f575a3..2264a88c41 100644
> > --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> > +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c
> > @@ -69,6 +69,12 @@ static void find_internet_password(void)
> >  	UInt32 len;
> >  	SecKeychainItemRef item;
> >  
> > +	/*
> > +	 * Require at valid host to fix CVE-2020-11008
> > +	 */
> > +	if (!host || !*host)
> > +		return;
> > +
> >  	if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
> >  		return;
> >  
> > -- 
> > 2.26.2.111.gbff22aa583
> > 
> 
> We're currently using this patch downstream (removed the check for
> !*host after updates to this file), but I was wondering whether this
> change should also be in main. It seems like the discussion around this
> stalled and there was no definitive conclusion, but the change also at
> worst does nothing and could possibly be useful -- I see other functions
> where we're checking for the existence of "host". I wasn't around when
> all the changes around this CVE were happening so I'm not exactly sure
> how useful this patch this and whether we can get rid of it or not.

I think this is mostly redundant with the protection on the sending side
from 8ba8ed568e (credential: refuse to operate when missing host or
protocol, 2020-04-18).

Locking down the individual helpers more might be useful if they are run
as independent programs (e.g., you could run "osxkeychain" manually and
feed it input with a host, which would make its matching quite liberal).
But since there isn't a way to trigger it in a normal workflow with
untrusted input, I don't think there's much of a security implication.

Looking at the patch above, I think it may cause issues with protocols
that do not have a host (like "cert" ones we use for storing client-side
certificate passphrases). But I'm not sure that osxkeychain can handle
those anyway. I'm also not sure we didn't break that in 8ba8ed568e. That
patch allows an empty string for the host, and the code in http.c to set
up the credential struct for the cert uses an empty string. But doing a
trivial test seems broken:

  $ touch foo.cert
  $ git -c http.sslcert=foo.cert ls-remote ...
  fatal: refusing to work with credential missing host field

Curiously if you feed it a real cert and matching key, then curl itself
prompts for the passphrase! And if you provide the correct one, then it
does not need to check credential config/helpers, and it works. If you
provide a bad one, we hit that same message trying to "reject" it (and I
think that is what happens with the fake cert; curl likewise complains
and we try to erase the passphrase before trying again).

But that also means we have no opportunity to prompt/store ourselves, if
curl is handling it. If you set GIT_SSL_CERT_PASSWORD_PROTECTED, then we
do our own prompt ahead of time (and this correctly sets the hostname to
the empty string).

So the whole cert auth handling is kind of wonky, and it's not clear to
me that anybody actually uses it, or what's supposed to work and what
isn't.

That's all sort of a tangent to your question, of course. ;)

It is interesting that the fix we did in 8ba8ed568e still allows empty
string hostnames, as I think such a hostname would cause osxkeychain to
still liberally match its contents. So in that case maybe the patch
above is doing something? I dunno. I think the real protection is
avoiding either a NULL or empty-string hostname based on untrusted input
in the first place.

-Peff