From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: Jonathan Nieder <jrnieder@gmail.com>, git@vger.kernel.org
Subject: Re: [PATCH v2 7/8] verify_path(): disallow symlinks in .gitattributes and .gitignore
Date: Tue, 27 Oct 2020 15:00:36 -0700 [thread overview]
Message-ID: <xmqqv9ev9vnf.fsf@gitster.c.googlers.com> (raw)
In-Reply-To: <20201027075853.GH3005508@coredump.intra.peff.net> (Jeff King's message of "Tue, 27 Oct 2020 03:58:53 -0400")
Jeff King <peff@peff.net> writes:
> diff --git a/environment.c b/environment.c
> index bb518c61cd..7c233e0e0e 100644
> --- a/environment.c
> +++ b/environment.c
> @@ -73,6 +73,7 @@ int merge_log_config = -1;
> int precomposed_unicode = -1; /* see probe_utf8_pathname_composition() */
> unsigned long pack_size_limit_cfg;
> enum log_refs_config log_all_ref_updates = LOG_REFS_UNSET;
> +int allow_external_symlinks = 1;
OK, so by default it is not blocked...
> +static int symlink_leaves_repo(const char *target, const char *linkpath)
> +{
> + /*
> + * Absolute paths are always considered to leave the repository (even
> + * if they happen to point to the working tree path).
> + */
> + if (is_absolute_path(target))
> + return 1;
Very sensible.
> + /*
> + * Allow relative paths that start with a sequence of "../",
> + * as long as they do not break out of the symlink's root.
> + * This loop will detect break-out cases and return; otherwise, at the
> + * end of the loop "target" will point to the first non-".." component.
> + *
> + * We count the depth of linkpath by eating up directory components left
> + * to right. Technically the symlink would resolve right-to-left, but
> + * we don't care about the actual values, only the number.
> + */
> + while (target[0] == '.') {
> + if (!target[1]) {
> + /* trailing "." -- ignore */
> + target++;
> + } else if (is_dir_sep(target[1])) {
> + /* "./" -- ignore */
> + target += 2;
> + } else if (target[1] == '.' &&
> + (!target[2] || is_dir_sep(target[2]))) {
> + /* ".." or "../" -- drop one from linkpath depth */
> + while (!is_dir_sep(*linkpath)) {
> + /* end-of-string; target exceeded our depth */
> + if (!*linkpath)
> + return 1;
> + linkpath++;
> + }
> + /* skip final "/" */
> + linkpath++;
> +
> + /* skip past ".." */
> + target += 2;
> + /* and "/" if present */
> + if (is_dir_sep(*target))
> + target++;
> + }
> + }
> +
> + /*
> + * Now we have a path in "target" that only go down into the tree.
> + * Disallow any interior "../", like "foo/../bar". These might be
> + * OK, but we cannot know unless we know whether "foo" is itself a
> + * symlink. So err on the side of caution.
> + */
> + while (*target) {
> + const char *v;
> + if (skip_prefix(target, "..", &v) && (!*v || is_dir_sep(*v)))
> + return 1;
> + target++;
> + }
> +
> + return 0;
> +}
> +
> +int safe_symlink(const char *target, const char *linkpath)
> +{
> + if (!allow_external_symlinks &&
> + symlink_leaves_repo(target, linkpath)) {
> + errno = EPERM;
> + return -1;
> + }
> +
> + return symlink(target, linkpath);
> +}
OK. This is only about blocking creation of new symbolic links that
goes outside the working tree. It obviously is a good thing to do.
We have some "symlink safety" in various parts of the system [*1*],
and I wonder if we can somehow consolidate the support to a more
central place.
Thanks.
[Footnote]
*1* For example, apply tries to be careful not to take the "path"
recorded in the incoming patch blindly, and instead checks if
any path component in it is a symbolic link before touching.
Similarly, callers of has_symlink_leading_path() all try to be
careful when the "path" they want to use to access a filesystem
entity has a symbolic link in the middle on the filesystem.
next prev parent reply other threads:[~2020-10-27 22:00 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-05 7:17 [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jeff King
2020-10-05 7:19 ` [PATCH 1/7] fsck_tree(): fix shadowed variable Jeff King
2020-10-05 7:44 ` Jonathan Nieder
2020-10-05 8:20 ` Jeff King
2020-10-05 8:29 ` Jonathan Nieder
2020-10-05 7:19 ` [PATCH 2/7] fsck_tree(): wrap some long lines Jeff King
2020-10-05 7:46 ` Jonathan Nieder
2020-10-05 7:19 ` [PATCH 3/7] t7415: rename to expand scope Jeff King
2020-10-05 7:50 ` Jonathan Nieder
2020-10-05 8:24 ` Jeff King
2020-10-05 8:34 ` Jonathan Nieder
2020-10-05 8:49 ` Jeff King
2020-10-05 7:20 ` [PATCH 4/7] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05 7:53 ` Jonathan Nieder
2020-10-05 8:30 ` Jeff King
2020-10-05 8:38 ` Jonathan Nieder
2020-10-05 7:21 ` [PATCH 5/7] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05 8:03 ` Jonathan Nieder
2020-10-05 8:40 ` Jeff King
2020-10-05 21:20 ` Johannes Schindelin
2020-10-06 14:01 ` Jeff King
2020-10-05 7:24 ` [PATCH 6/7] verify_path(): disallow symlinks in .gitattributes and .gitignore Jeff King
2020-10-05 8:09 ` Jonathan Nieder
2020-10-05 12:07 ` Jeff King
2020-10-05 7:25 ` [PATCH 7/7] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-05 8:12 ` Jonathan Nieder
2020-10-05 8:53 ` Jeff King
2020-10-05 7:32 ` [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jonathan Nieder
2020-10-05 8:58 ` Jeff King
2020-10-05 12:16 ` [PATCH v2 0/8] " Jeff King
2020-10-05 12:16 ` [PATCH v2 1/8] fsck_tree(): fix shadowed variable Jeff King
2020-10-05 12:16 ` [PATCH v2 2/8] fsck_tree(): wrap some long lines Jeff King
2020-10-05 12:16 ` [PATCH v2 3/8] t7415: rename to expand scope Jeff King
2020-10-05 12:16 ` [PATCH v2 4/8] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05 12:16 ` [PATCH v2 5/8] t7450: test .gitmodules symlink matching against obscured names Jeff King
2020-10-05 12:16 ` [PATCH v2 6/8] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05 12:16 ` [PATCH v2 7/8] verify_path(): disallow symlinks in .gitattributes and .gitignore Jeff King
2020-10-27 3:35 ` Jonathan Nieder
2020-10-27 7:58 ` Jeff King
2020-10-27 22:00 ` Junio C Hamano [this message]
2020-10-28 9:41 ` Jeff King
2020-10-27 23:43 ` Jonathan Nieder
2020-10-28 19:18 ` Junio C Hamano
2020-10-05 12:16 ` [PATCH v2 8/8] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-06 20:41 ` [PATCH v2 0/8] forbidding symlinked .gitattributes and .gitignore Junio C Hamano
2020-10-20 23:19 ` Philip Oakley
2020-10-23 8:17 ` [PATCH] documentation symlink restrictions for .git* files Jeff King
2020-10-23 8:27 ` Jeff King
2020-10-26 22:18 ` Philip Oakley
2020-10-26 22:53 ` Jeff King
2020-10-26 23:32 ` Junio C Hamano
2020-10-27 7:26 ` Jeff King
2020-10-27 18:45 ` Junio C Hamano
2020-10-27 21:00 ` Philip Oakley
2020-10-28 19:14 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqv9ev9vnf.fsf@gitster.c.googlers.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).