[PATCH 0/2] disallow newlines in git:// URLs

[PATCH 0/2] disallow newlines in git:// URLs

[Jeff King]

This addresses an issue brought up by Harold Kim on the security list.
In general, Git handles repo paths with newlines just fine, and this
even works over the git:// protocol. However, because of the sparseness
of that protocol, it's easy to craft a malicious URL that makes a valid
request for other protocols, like http (and submodules make it easy-ish
to convince somebody to clone your crafted URL).

Since it's unlikely that anybody is relying on having a newline in their
git:// repo in the first place, it's worth outlawing them to make it
less likely for a Git client to be used as a protocol redirect.

  [1/2]: git_connect_git(): forbid newlines in host and path
  [2/2]: fsck: reject .gitmodules git:// urls with newlines

 connect.c                     |  2 ++
 fsck.c                        |  2 +-
 t/t5570-git-daemon.sh         |  5 +++++
 t/t7416-submodule-dash-url.sh | 15 +++++++++++++++
 4 files changed, 23 insertions(+), 1 deletion(-)

-Peff

[PATCH 1/2] git_connect_git(): forbid newlines in host and path

[Jeff King]

When we connect to a git:// server, we send an initial request that
looks something like:

  002dgit-upload-pack repo.git\0host=example.com

If the repo path contains a newline, then it's included literally, and
we get:

  002egit-upload-pack repo
  .git\0host=example.com

This works fine if you really do have a newline in your repository name;
the server side uses the pktline framing to parse the string, not
newlines. However, there are many _other_ protocols in the wild that do
parse on newlines, such as HTTP. So a carefully constructed git:// URL
can actually turn into a valid HTTP request. For example:

  git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a

becomes:

  0050git-upload-pack /
  GET / HTTP/1.1
  Host:localhost

  host=localhost:1234

on the wire. Again, this isn't a problem for a real Git server, but it
does mean that feeding a malicious URL to Git (e.g., through a
submodule) can cause it to make unexpected cross-protocol requests.
Since repository names with newlines are presumably quite rare (and
indeed, we already disallow them in git-over-http), let's just disallow
them over this protocol.

Hostnames could likewise inject a newline, but this is unlikely a
problem in practice; we'd try resolving the hostname with a newline in
it, which wouldn't work. Still, it doesn't hurt to err on the side of
caution there, since we would not expect them to work in the first
place.

The ssh and local code paths are unaffected by this patch. In both cases
we're trying to run upload-pack via a shell, and will quote the newline
so that it makes it intact. An attacker can point an ssh url at an
arbitrary port, of course, but unless there's an actual ssh server
there, we'd never get as far as sending our shell command anyway.  We
_could_ similarly restrict newlines in those protocols out of caution,
but there seems little benefit to doing so.

The new test here is run alongside the git-daemon tests, which cover the
same protocol, but it shouldn't actually contact the daemon at all.  In
theory we could make the test more robust by setting up an actual
repository with a newline in it (so that our clone would succeed if our
new check didn't kick in). But a repo directory with newline in it is
likely not portable across all filesystems. Likewise, we could check
git-daemon's log that it was not contacted at all, but we do not
currently record the log (and anyway, it would make the test racy with
the daemon's log write). We'll just check the client-side stderr to make
sure we hit the expected code path.

Reported-by: Harold Kim <h.kim@flatt.tech>
Signed-off-by: Jeff King <peff@peff.net>
---
 connect.c             | 2 ++
 t/t5570-git-daemon.sh | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/connect.c b/connect.c
index 8b8f56cf6d..9c97fee430 100644
--- a/connect.c
+++ b/connect.c
@@ -1160,6 +1160,8 @@ static struct child_process *git_connect_git(int fd[2], char *hostandport,
 		target_host = xstrdup(hostandport);
 
 	transport_check_allowed("git");
+	if (strchr(target_host, '\n') || strchr(path, '\n'))
+		die(_("newline is forbidden in git:// hosts and repo paths"));
 
 	/*
 	 * These underlying connection commands die() if they
diff --git a/t/t5570-git-daemon.sh b/t/t5570-git-daemon.sh
index 8f69a7854f..0fbb194810 100755
--- a/t/t5570-git-daemon.sh
+++ b/t/t5570-git-daemon.sh
@@ -103,6 +103,11 @@ test_expect_success 'fetch notices corrupt idx' '
 	)
 '
 
+test_expect_success 'client refuses to ask for repo with newline' '
+	test_must_fail git clone "$GIT_DAEMON_URL/repo$LF.git" dst 2>stderr &&
+	test_i18ngrep newline.is.forbidden stderr
+'
+
 test_remote_error()
 {
 	do_export=YesPlease
-- 
2.30.0.572.g094076f6a2

[PATCH 2/2] fsck: reject .gitmodules git:// urls with newlines

[Jeff King]

The previous commit taught the clone/fetch client side to reject a
git:// URL with a newline in it. Let's also catch these when fscking a
.gitmodules file, which will give an earlier warning.

Note that it would be simpler to just complain about newline in _any_
URL, but an earlier tightening for http/ftp made sure we kept allowing
newlines for unknown protocols (and this is covered in the tests). So
we'll stick to that precedent.

Signed-off-by: Jeff King <peff@peff.net>
---
 fsck.c                        |  2 +-
 t/t7416-submodule-dash-url.sh | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/fsck.c b/fsck.c
index f82e2fe9e3..5e282b3b6b 100644
--- a/fsck.c
+++ b/fsck.c
@@ -1082,7 +1082,7 @@ static int check_submodule_url(const char *url)
 	if (looks_like_command_line_option(url))
 		return -1;
 
-	if (submodule_url_is_relative(url)) {
+	if (submodule_url_is_relative(url) || starts_with(url, "git://")) {
 		char *decoded;
 		const char *next;
 		int has_nl;
diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
index eec96e0ba9..d21dc8b009 100755
--- a/t/t7416-submodule-dash-url.sh
+++ b/t/t7416-submodule-dash-url.sh
@@ -201,4 +201,19 @@ test_expect_success 'fsck rejects embedded newline in relative url' '
 	grep gitmodulesUrl err
 '
 
+test_expect_success 'fsck rejects embedded newline in git url' '
+	git checkout --orphan git-newline &&
+	cat >.gitmodules <<-\EOF &&
+	[submodule "foo"]
+	url = "git://example.com:1234/repo%0a.git"
+	EOF
+	git add .gitmodules &&
+	git commit -m "git url with newline" &&
+	test_when_finished "rm -rf dst" &&
+	git init --bare dst &&
+	git -C dst config transfer.fsckObjects true &&
+	test_must_fail git push dst HEAD 2>err &&
+	grep gitmodulesUrl err
+'
+
 test_done
-- 
2.30.0.572.g094076f6a2