From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: Jonathan Nieder <jrnieder@gmail.com>
Subject: [PATCH v2 7/8] verify_path(): disallow symlinks in .gitattributes and .gitignore
Date: Mon, 5 Oct 2020 08:16:45 -0400 [thread overview]
Message-ID: <20201005121645.GG2907394@coredump.intra.peff.net> (raw)
In-Reply-To: <20201005121609.GA2907272@coredump.intra.peff.net>
In commit 10ecfa7649 (verify_path: disallow symlinks in .gitmodules,
2018-05-04) we made it impossible to load a .gitmodules file that's a
symlink into the index. The security reasons for doing so are described
there. We also discussed forbidding symlinks of other .git files as part
of that fix, but the tradeoff was less compelling:
1. Unlike .gitmodules, the other files don't have content-level fsck
checks. So an attacker using symlinks to evade those checks isn't a
problem.
2. Unlike .gitmodules, Git will never write .gitignore or
.gitattributes itself, making it much less likely to use them to
write outside the repo. They could be used for out-of-repo reads,
however.
3. The .gitmodules change was part of a critical bug-fix that was
not publicly disclosed until it was released. Changing the other
files was not needed for the minimal fix.
However, it's still a reasonable idea to forbid symlinks for these
files:
- As noted, they can still be used to read out-of-repo files (which is
fairly restricted, but in some circumstances you can probe file
content by speculatively creating files and seeing if they get
ignored)
- They don't currently behave well in all cases. We sometimes read
these files from the index, where we _don't_ follow symlinks (we'd
just treat the symlink target as the .gitignore or .gitattributes
content, which is actively wrong).
This patch forbids symlinked versions of these files from entering the
index. We already have helpers for obscured forms of the names from
e7cb0b4455 (is_ntfs_dotgit: match other .git files, 2018-05-11) and
0fc333ba20 (is_hfs_dotgit: match other .git files, 2018-05-02), which
were done as part of the series touching .gitmodules.
No tests yet, as we'll add them in a subsequent patch once we have fsck
support, too.
Signed-off-by: Jeff King <peff@peff.net>
---
read-cache.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/read-cache.c b/read-cache.c
index ecf6f68994..63aec6c35d 100644
--- a/read-cache.c
+++ b/read-cache.c
@@ -947,7 +947,9 @@ static int verify_dotfile(const char *rest, unsigned mode)
return 0;
if (S_ISLNK(mode)) {
rest += 3;
- if (skip_iprefix(rest, "modules", &rest) &&
+ if ((skip_iprefix(rest, "modules", &rest) ||
+ skip_iprefix(rest, "ignore", &rest) ||
+ skip_iprefix(rest, "attributes", &rest)) &&
(*rest == '\0' || is_dir_sep(*rest)))
return 0;
}
@@ -980,7 +982,9 @@ int verify_path(const char *path, unsigned mode)
if (is_hfs_dotgit(path))
return 0;
if (S_ISLNK(mode)) {
- if (is_hfs_dotgitmodules(path))
+ if (is_hfs_dotgitmodules(path) ||
+ is_hfs_dotgitignore(path) ||
+ is_hfs_dotgitattributes(path))
return 0;
}
}
@@ -992,7 +996,9 @@ int verify_path(const char *path, unsigned mode)
if (is_ntfs_dotgit(path))
return 0;
if (S_ISLNK(mode)) {
- if (is_ntfs_dotgitmodules(path))
+ if (is_ntfs_dotgitmodules(path) ||
+ is_ntfs_dotgitignore(path) ||
+ is_ntfs_dotgitattributes(path))
return 0;
}
}
--
2.28.0.1295.gf70bcb366f
next prev parent reply other threads:[~2020-10-05 12:16 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-05 7:17 [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jeff King
2020-10-05 7:19 ` [PATCH 1/7] fsck_tree(): fix shadowed variable Jeff King
2020-10-05 7:44 ` Jonathan Nieder
2020-10-05 8:20 ` Jeff King
2020-10-05 8:29 ` Jonathan Nieder
2020-10-05 7:19 ` [PATCH 2/7] fsck_tree(): wrap some long lines Jeff King
2020-10-05 7:46 ` Jonathan Nieder
2020-10-05 7:19 ` [PATCH 3/7] t7415: rename to expand scope Jeff King
2020-10-05 7:50 ` Jonathan Nieder
2020-10-05 8:24 ` Jeff King
2020-10-05 8:34 ` Jonathan Nieder
2020-10-05 8:49 ` Jeff King
2020-10-05 7:20 ` [PATCH 4/7] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05 7:53 ` Jonathan Nieder
2020-10-05 8:30 ` Jeff King
2020-10-05 8:38 ` Jonathan Nieder
2020-10-05 7:21 ` [PATCH 5/7] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05 8:03 ` Jonathan Nieder
2020-10-05 8:40 ` Jeff King
2020-10-05 21:20 ` Johannes Schindelin
2020-10-06 14:01 ` Jeff King
2020-10-05 7:24 ` [PATCH 6/7] verify_path(): disallow symlinks in .gitattributes and .gitignore Jeff King
2020-10-05 8:09 ` Jonathan Nieder
2020-10-05 12:07 ` Jeff King
2020-10-05 7:25 ` [PATCH 7/7] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-05 8:12 ` Jonathan Nieder
2020-10-05 8:53 ` Jeff King
2020-10-05 7:32 ` [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jonathan Nieder
2020-10-05 8:58 ` Jeff King
2020-10-05 12:16 ` [PATCH v2 0/8] " Jeff King
2020-10-05 12:16 ` [PATCH v2 1/8] fsck_tree(): fix shadowed variable Jeff King
2020-10-05 12:16 ` [PATCH v2 2/8] fsck_tree(): wrap some long lines Jeff King
2020-10-05 12:16 ` [PATCH v2 3/8] t7415: rename to expand scope Jeff King
2020-10-05 12:16 ` [PATCH v2 4/8] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05 12:16 ` [PATCH v2 5/8] t7450: test .gitmodules symlink matching against obscured names Jeff King
2020-10-05 12:16 ` [PATCH v2 6/8] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05 12:16 ` Jeff King [this message]
2020-10-27 3:35 ` [PATCH v2 7/8] verify_path(): disallow symlinks in .gitattributes and .gitignore Jonathan Nieder
2020-10-27 7:58 ` Jeff King
2020-10-27 22:00 ` Junio C Hamano
2020-10-28 9:41 ` Jeff King
2020-10-27 23:43 ` Jonathan Nieder
2020-10-28 19:18 ` Junio C Hamano
2020-10-05 12:16 ` [PATCH v2 8/8] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-06 20:41 ` [PATCH v2 0/8] forbidding symlinked .gitattributes and .gitignore Junio C Hamano
2020-10-20 23:19 ` Philip Oakley
2020-10-23 8:17 ` [PATCH] documentation symlink restrictions for .git* files Jeff King
2020-10-23 8:27 ` Jeff King
2020-10-26 22:18 ` Philip Oakley
2020-10-26 22:53 ` Jeff King
2020-10-26 23:32 ` Junio C Hamano
2020-10-27 7:26 ` Jeff King
2020-10-27 18:45 ` Junio C Hamano
2020-10-27 21:00 ` Philip Oakley
2020-10-28 19:14 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201005121645.GG2907394@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).