diff options
Diffstat (limited to 'submodule-config.c')
| -rw-r--r-- | submodule-config.c | 195 |
1 files changed, 176 insertions, 19 deletions
diff --git a/submodule-config.c b/submodule-config.c index 4dc61b3a78..11428b4ada 100644 --- a/submodule-config.c +++ b/submodule-config.c @@ -1,13 +1,21 @@ -#include "cache.h" +#include "git-compat-util.h" #include "dir.h" +#include "environment.h" +#include "gettext.h" +#include "hex.h" +#include "path.h" #include "repository.h" #include "config.h" #include "submodule-config.h" #include "submodule.h" #include "strbuf.h" -#include "object-store.h" +#include "object-name.h" +#include "object-store-ll.h" #include "parse-options.h" +#include "thread-utils.h" #include "tree-walk.h" +#include "url.h" +#include "urlmatch.h" /* * submodule cache lookup structure @@ -222,6 +230,144 @@ in_component: return 0; } +static int starts_with_dot_slash(const char *const path) +{ + return path_match_flags(path, PATH_MATCH_STARTS_WITH_DOT_SLASH | + PATH_MATCH_XPLATFORM); +} + +static int starts_with_dot_dot_slash(const char *const path) +{ + return path_match_flags(path, PATH_MATCH_STARTS_WITH_DOT_DOT_SLASH | + PATH_MATCH_XPLATFORM); +} + +static int submodule_url_is_relative(const char *url) +{ + return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url); +} + +/* + * Count directory components that a relative submodule URL should chop + * from the remote_url it is to be resolved against. + * + * In other words, this counts "../" components at the start of a + * submodule URL. + * + * Returns the number of directory components to chop and writes a + * pointer to the next character of url after all leading "./" and + * "../" components to out. + */ +static int count_leading_dotdots(const char *url, const char **out) +{ + int result = 0; + while (1) { + if (starts_with_dot_dot_slash(url)) { + result++; + url += strlen("../"); + continue; + } + if (starts_with_dot_slash(url)) { + url += strlen("./"); + continue; + } + *out = url; + return result; + } +} +/* + * Check whether a transport is implemented by git-remote-curl. + * + * If it is, returns 1 and writes the URL that would be passed to + * git-remote-curl to the "out" parameter. + * + * Otherwise, returns 0 and leaves "out" untouched. + * + * Examples: + * http::https://example.com/repo.git -> 1, https://example.com/repo.git + * https://example.com/repo.git -> 1, https://example.com/repo.git + * git://example.com/repo.git -> 0 + * + * This is for use in checking for previously exploitable bugs that + * required a submodule URL to be passed to git-remote-curl. + */ +static int url_to_curl_url(const char *url, const char **out) +{ + /* + * We don't need to check for case-aliases, "http.exe", and so + * on because in the default configuration, is_transport_allowed + * prevents URLs with those schemes from being cloned + * automatically. + */ + if (skip_prefix(url, "http::", out) || + skip_prefix(url, "https::", out) || + skip_prefix(url, "ftp::", out) || + skip_prefix(url, "ftps::", out)) + return 1; + if (starts_with(url, "http://") || + starts_with(url, "https://") || + starts_with(url, "ftp://") || + starts_with(url, "ftps://")) { + *out = url; + return 1; + } + return 0; +} + +int check_submodule_url(const char *url) +{ + const char *curl_url; + + if (looks_like_command_line_option(url)) + return -1; + + if (submodule_url_is_relative(url) || starts_with(url, "git://")) { + char *decoded; + const char *next; + int has_nl; + + /* + * This could be appended to an http URL and url-decoded; + * check for malicious characters. + */ + decoded = url_decode(url); + has_nl = !!strchr(decoded, '\n'); + + free(decoded); + if (has_nl) + return -1; + + /* + * URLs which escape their root via "../" can overwrite + * the host field and previous components, resolving to + * URLs like https::example.com/submodule.git and + * https:///example.com/submodule.git that were + * susceptible to CVE-2020-11008. + */ + if (count_leading_dotdots(url, &next) > 0 && + (*next == ':' || *next == '/')) + return -1; + } + + else if (url_to_curl_url(url, &curl_url)) { + int ret = 0; + char *normalized = url_normalize(curl_url, NULL); + if (normalized) { + char *decoded = url_decode(normalized); + if (strchr(decoded, '\n')) + ret = -1; + free(normalized); + free(decoded); + } else { + ret = -1; + } + + return ret; + } + + return 0; +} + static int name_and_item_from_var(const char *var, struct strbuf *name, struct strbuf *item) { @@ -298,9 +444,10 @@ static int parse_fetch_recurse(const char *opt, const char *arg, } } -int parse_submodule_fetchjobs(const char *var, const char *value) +int parse_submodule_fetchjobs(const char *var, const char *value, + const struct key_value_info *kvi) { - int fetchjobs = git_config_int(var, value); + int fetchjobs = git_config_int(var, value, kvi); if (fetchjobs < 0) die(_("negative values not allowed for submodule.fetchJobs")); if (!fetchjobs) @@ -420,7 +567,8 @@ struct parse_config_parameter { * config store (.git/config, etc). Callers are responsible for * checking for overrides in the main config store when appropriate. */ -static int parse_config(const char *var, const char *value, void *data) +static int parse_config(const char *var, const char *value, + const struct config_context *ctx UNUSED, void *data) { struct parse_config_parameter *me = data; struct submodule *submodule; @@ -508,7 +656,9 @@ static int parse_config(const char *var, const char *value, void *data) submodule->recommend_shallow = git_config_bool(var, value); } else if (!strcmp(item.buf, "branch")) { - if (!me->overwrite && submodule->branch) + if (!value) + ret = config_error_nonbool(var); + else if (!me->overwrite && submodule->branch) warn_multiple_config(me->treeish_name, submodule->name, "branch"); else { @@ -535,7 +685,7 @@ static int gitmodule_oid_from_commit(const struct object_id *treeish_name, } strbuf_addf(rev, "%s:.gitmodules", oid_to_hex(treeish_name)); - if (get_oid(rev->buf, gitmodules_oid) >= 0) + if (repo_get_oid(the_repository, rev->buf, gitmodules_oid) >= 0) ret = 1; return ret; @@ -588,7 +738,8 @@ static const struct submodule *config_from(struct submodule_cache *cache, if (submodule) goto out; - config = read_object_file(&oid, &type, &config_size); + config = repo_read_object_file(the_repository, &oid, &type, + &config_size); if (!config || type != OBJ_BLOB) goto out; @@ -598,7 +749,7 @@ static const struct submodule *config_from(struct submodule_cache *cache, parameter.gitmodules_oid = &oid; parameter.overwrite = 0; git_config_from_mem(parse_config, CONFIG_ORIGIN_SUBMODULE_BLOB, rev.buf, - config, config_size, ¶meter, NULL); + config, config_size, ¶meter, CONFIG_SCOPE_UNKNOWN, NULL); strbuf_release(&rev); free(config); @@ -652,7 +803,6 @@ static void config_from_gitmodules(config_fn_t fn, struct repository *repo, void config_source.file = file; } else if (repo_get_oid(repo, GITMODULES_INDEX, &oid) >= 0 || repo_get_oid(repo, GITMODULES_HEAD, &oid) >= 0) { - config_source.repo = repo; config_source.blob = oidstr = xstrdup(oid_to_hex(&oid)); if (repo != the_repository) add_submodule_odb_by_path(repo->objects->odb->path); @@ -660,7 +810,7 @@ static void config_from_gitmodules(config_fn_t fn, struct repository *repo, void goto out; } - config_with_options(fn, data, &config_source, &opts); + config_with_options(fn, data, &config_source, repo, &opts); out: free(oidstr); @@ -668,7 +818,8 @@ out: } } -static int gitmodules_cb(const char *var, const char *value, void *data) +static int gitmodules_cb(const char *var, const char *value, + const struct config_context *ctx, void *data) { struct repository *repo = data; struct parse_config_parameter parameter; @@ -678,7 +829,7 @@ static int gitmodules_cb(const char *var, const char *value, void *data) parameter.gitmodules_oid = null_oid(); parameter.overwrite = 1; - return parse_config(var, value, ¶meter); + return parse_config(var, value, ctx, ¶meter); } void repo_read_gitmodules(struct repository *repo, int skip_if_read) @@ -706,7 +857,8 @@ void gitmodules_config_oid(const struct object_id *commit_oid) if (gitmodule_oid_from_commit(commit_oid, &oid, &rev)) { git_config_from_blob_oid(gitmodules_cb, rev.buf, - the_repository, &oid, the_repository); + the_repository, &oid, the_repository, + CONFIG_SCOPE_UNKNOWN); } strbuf_release(&rev); @@ -795,7 +947,9 @@ void submodule_free(struct repository *r) submodule_cache_clear(r->submodule_cache); } -static int config_print_callback(const char *var, const char *value, void *cb_data) +static int config_print_callback(const char *var, const char *value, + const struct config_context *ctx UNUSED, + void *cb_data) { char *wanted_key = cb_data; @@ -824,7 +978,7 @@ int config_set_in_gitmodules_file_gently(const char *key, const char *value) { int ret; - ret = git_config_set_in_file_gently(GITMODULES_FILE, key, value); + ret = git_config_set_in_file_gently(GITMODULES_FILE, key, NULL, value); if (ret < 0) /* Maybe the user already did that, don't error out here */ warning(_("Could not update .gitmodules entry %s"), key); @@ -837,13 +991,15 @@ struct fetch_config { int *recurse_submodules; }; -static int gitmodules_fetch_config(const char *var, const char *value, void *cb) +static int gitmodules_fetch_config(const char *var, const char *value, + const struct config_context *ctx, + void *cb) { struct fetch_config *config = cb; if (!strcmp(var, "submodule.fetchjobs")) { if (config->max_children) *(config->max_children) = - parse_submodule_fetchjobs(var, value); + parse_submodule_fetchjobs(var, value, ctx->kvi); return 0; } else if (!strcmp(var, "fetch.recursesubmodules")) { if (config->recurse_submodules) @@ -865,11 +1021,12 @@ void fetch_config_from_gitmodules(int *max_children, int *recurse_submodules) } static int gitmodules_update_clone_config(const char *var, const char *value, + const struct config_context *ctx, void *cb) { int *max_jobs = cb; if (!strcmp(var, "submodule.fetchjobs")) - *max_jobs = parse_submodule_fetchjobs(var, value); + *max_jobs = parse_submodule_fetchjobs(var, value, ctx->kvi); return 0; } |