From 6f054f9fb3a501c35b55c65e547a244f14c38d56 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Thu, 28 Jul 2022 17:35:17 -0400 Subject: [PATCH 01/33] builtin/clone.c: disallow `--local` clones with symlinks When cloning a repository with `--local`, Git relies on either making a hardlink or copy to every file in the "objects" directory of the source repository. This is done through the callpath `cmd_clone()` -> `clone_local()` -> `copy_or_link_directory()`. The way this optimization works is by enumerating every file and directory recursively in the source repository's `$GIT_DIR/objects` directory, and then either making a copy or hardlink of each file. The only exception to this rule is when copying the "alternates" file, in which case paths are rewritten to be absolute before writing a new "alternates" file in the destination repo. One quirk of this implementation is that it dereferences symlinks when cloning. This behavior was most recently modified in 36596fd2df (clone: better handle symlinked files at .git/objects/, 2019-07-10), which attempted to support `--local` clones of repositories with symlinks in their objects directory in a platform-independent way. Unfortunately, this behavior of dereferencing symlinks (that is, creating a hardlink or copy of the source's link target in the destination repository) can be used as a component in attacking a victim by inadvertently exposing the contents of file stored outside of the repository. Take, for example, a repository that stores a Dockerfile and is used to build Docker images. When building an image, Docker copies the directory contents into the VM, and then instructs the VM to execute the Dockerfile at the root of the copied directory. This protects against directory traversal attacks by copying symbolic links as-is without dereferencing them. That is, if a user has a symlink pointing at their private key material (where the symlink is present in the same directory as the Dockerfile, but the key itself is present outside of that directory), the key is unreadable to a Docker image, since the link will appear broken from the container's point of view. This behavior enables an attack whereby a victim is convinced to clone a repository containing an embedded submodule (with a URL like "file:///proc/self/cwd/path/to/submodule") which has a symlink pointing at a path containing sensitive information on the victim's machine. If a user is tricked into doing this, the contents at the destination of those symbolic links are exposed to the Docker image at runtime. One approach to preventing this behavior is to recreate symlinks in the destination repository. But this is problematic, since symlinking the objects directory are not well-supported. (One potential problem is that when sharing, e.g. a "pack" directory via symlinks, different writers performing garbage collection may consider different sets of objects to be reachable, enabling a situation whereby garbage collecting one repository may remove reachable objects in another repository). Instead, prohibit the local clone optimization when any symlinks are present in the `$GIT_DIR/objects` directory of the source repository. Users may clone the repository again by prepending the "file://" scheme to their clone URL, or by adding the `--no-local` option to their `git clone` invocation. The directory iterator used by `copy_or_link_directory()` must no longer dereference symlinks (i.e., it *must* call `lstat()` instead of `stat()` in order to discover whether or not there are symlinks present). This has no bearing on the overall behavior, since we will immediately `die()` on encounter a symlink. Note that t5604.33 suggests that we do support local clones with symbolic links in the source repository's objects directory, but this was likely unintentional, or at least did not take into consideration the problem with sharing parts of the objects directory with symbolic links at the time. Update this test to reflect which options are and aren't supported. Helped-by: Johannes Schindelin Signed-off-by: Taylor Blau --- builtin/clone.c | 8 +++--- t/t5604-clone-reference.sh | 50 ++++++++++++++------------------------ 2 files changed, 23 insertions(+), 35 deletions(-) diff --git a/builtin/clone.c b/builtin/clone.c index e335734b4cfd32..e626073b1f198c 100644 --- a/builtin/clone.c +++ b/builtin/clone.c @@ -420,13 +420,11 @@ static void copy_or_link_directory(struct strbuf *src, struct strbuf *dest, int src_len, dest_len; struct dir_iterator *iter; int iter_status; - unsigned int flags; struct strbuf realpath = STRBUF_INIT; mkdir_if_missing(dest->buf, 0777); - flags = DIR_ITERATOR_PEDANTIC | DIR_ITERATOR_FOLLOW_SYMLINKS; - iter = dir_iterator_begin(src->buf, flags); + iter = dir_iterator_begin(src->buf, DIR_ITERATOR_PEDANTIC); if (!iter) die_errno(_("failed to start iterator over '%s'"), src->buf); @@ -442,6 +440,10 @@ static void copy_or_link_directory(struct strbuf *src, struct strbuf *dest, strbuf_setlen(dest, dest_len); strbuf_addstr(dest, iter->relative_path); + if (S_ISLNK(iter->st.st_mode)) + die(_("symlink '%s' exists, refusing to clone with --local"), + iter->relative_path); + if (S_ISDIR(iter->st.st_mode)) { mkdir_if_missing(dest->buf, 0777); continue; diff --git a/t/t5604-clone-reference.sh b/t/t5604-clone-reference.sh index 2f7be23044712a..9d32f1c4a4962c 100755 --- a/t/t5604-clone-reference.sh +++ b/t/t5604-clone-reference.sh @@ -300,8 +300,6 @@ test_expect_success SYMLINKS 'setup repo with manually symlinked or unknown file ln -s ../an-object $obj && cd ../ && - find . -type f | sort >../../../T.objects-files.raw && - find . -type l | sort >../../../T.objects-symlinks.raw && echo unknown_content >unknown_file ) && git -C T fsck && @@ -310,19 +308,27 @@ test_expect_success SYMLINKS 'setup repo with manually symlinked or unknown file test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at objects/' ' - for option in --local --no-hardlinks --shared --dissociate + # None of these options work when cloning locally, since T has + # symlinks in its `$GIT_DIR/objects` directory + for option in --local --no-hardlinks --dissociate do - git clone $option T T$option || return 1 && - git -C T$option fsck || return 1 && - git -C T$option rev-list --all --objects >T$option.objects && - test_cmp T.objects T$option.objects && - ( - cd T$option/.git/objects && - find . -type f | sort >../../../T$option.objects-files.raw && - find . -type l | sort >../../../T$option.objects-symlinks.raw - ) + test_must_fail git clone $option T T$option 2>err || return 1 && + test_i18ngrep "symlink.*exists" err || return 1 done && + # But `--shared` clones should still work, even when specifying + # a local path *and* that repository has symlinks present in its + # `$GIT_DIR/objects` directory. + git clone --shared T T--shared && + git -C T--shared fsck && + git -C T--shared rev-list --all --objects >T--shared.objects && + test_cmp T.objects T--shared.objects && + ( + cd T--shared/.git/objects && + find . -type f | sort >../../../T--shared.objects-files.raw && + find . -type l | sort >../../../T--shared.objects-symlinks.raw + ) && + for raw in $(ls T*.raw) do sed -e "s!/../!/Y/!; s![0-9a-f]\{38,\}!Z!" -e "/commit-graph/d" \ @@ -330,26 +336,6 @@ test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at obje sort $raw.de-sha-1 >$raw.de-sha || return 1 done && - cat >expected-files <<-EOF && - ./Y/Z - ./Y/Z - ./Y/Z - ./a-loose-dir/Z - ./an-object - ./info/packs - ./pack/pack-Z.idx - ./pack/pack-Z.pack - ./packs/pack-Z.idx - ./packs/pack-Z.pack - ./unknown_file - EOF - - for option in --local --no-hardlinks --dissociate - do - test_cmp expected-files T$option.objects-files.raw.de-sha || return 1 && - test_must_be_empty T$option.objects-symlinks.raw.de-sha || return 1 - done && - echo ./info/alternates >expected-files && test_cmp expected-files T--shared.objects-files.raw && test_must_be_empty T--shared.objects-symlinks.raw From 7de0c306f7b758d3fb537c18c2751f6250cea7a0 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:13:58 -0400 Subject: [PATCH 02/33] t/lib-submodule-update.sh: allow local submodules To prepare for changing the default value of `protocol.file.allow` to "user", update the `prolog()` function in lib-submodule-update to allow submodules to be cloned over the file protocol. This is used by a handful of submodule-related test scripts, which themselves will have to tweak the value of `protocol.file.allow` in certain locations. Those will be done in subsequent commits. Signed-off-by: Taylor Blau --- t/lib-submodule-update.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/t/lib-submodule-update.sh b/t/lib-submodule-update.sh index 4b714e93083f12..cc5b58bdde0067 100644 --- a/t/lib-submodule-update.sh +++ b/t/lib-submodule-update.sh @@ -196,6 +196,7 @@ test_git_directory_exists () { # the submodule repo if it doesn't exist and configures the most problematic # settings for diff.ignoreSubmodules. prolog () { + test_config_global protocol.file.allow always && (test -d submodule_update_repo || create_lib_submodule_repo) && test_config_global diff.ignoreSubmodules all && test_config diff.ignoreSubmodules all From 8a96dbcb339d25ba1813632319ea4052bc586ddf Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:16:10 -0400 Subject: [PATCH 03/33] t/t1NNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Tests that interact with submodules a handful of times use `test_config_global` instead. Signed-off-by: Taylor Blau --- t/t1091-sparse-checkout-builtin.sh | 3 ++- t/t1500-rev-parse.sh | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/t/t1091-sparse-checkout-builtin.sh b/t/t1091-sparse-checkout-builtin.sh index 84acfc48b6786a..749c8f1c0ab82a 100755 --- a/t/t1091-sparse-checkout-builtin.sh +++ b/t/t1091-sparse-checkout-builtin.sh @@ -449,7 +449,8 @@ test_expect_success 'interaction with submodules' ' ( cd super && mkdir modules && - git submodule add ../repo modules/child && + git -c protocol.file.allow=always \ + submodule add ../repo modules/child && git add . && git commit -m "add submodule" && git sparse-checkout init --cone && diff --git a/t/t1500-rev-parse.sh b/t/t1500-rev-parse.sh index 408b97d5af9551..acef9fda0c62d1 100755 --- a/t/t1500-rev-parse.sh +++ b/t/t1500-rev-parse.sh @@ -163,7 +163,8 @@ test_expect_success 'showing the superproject correctly' ' test_commit -C super test_commit && test_create_repo sub && test_commit -C sub test_commit && - git -C super submodule add ../sub dir/sub && + git -c protocol.file.allow=always \ + -C super submodule add ../sub dir/sub && echo $(pwd)/super >expect && git -C super/dir/sub rev-parse --show-superproject-working-tree >out && test_cmp expect out && From 99f4abb8dae4c9c604e5d5cf255958bbe537b928 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:20:03 -0400 Subject: [PATCH 04/33] t/2NNNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Tests that interact with submodules a handful of times use `test_config_global` instead. Test scripts that rely on submodules throughout use a `git config --global` during a setup test towards the beginning of the script. Signed-off-by: Taylor Blau --- t/t2400-worktree-add.sh | 2 ++ t/t2403-worktree-move.sh | 7 +++++-- t/t2405-worktree-submodule.sh | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/t/t2400-worktree-add.sh b/t/t2400-worktree-add.sh index 5a7495474aa872..cd02f7854d4084 100755 --- a/t/t2400-worktree-add.sh +++ b/t/t2400-worktree-add.sh @@ -597,6 +597,7 @@ test_expect_success '"add" should not fail because of another bad worktree' ' ' test_expect_success '"add" with uninitialized submodule, with submodule.recurse unset' ' + test_config_global protocol.file.allow always && test_create_repo submodule && test_commit -C submodule first && test_create_repo project && @@ -612,6 +613,7 @@ test_expect_success '"add" with uninitialized submodule, with submodule.recurse ' test_expect_success '"add" with initialized submodule, with submodule.recurse unset' ' + test_config_global protocol.file.allow always && git -C project-clone submodule update --init && git -C project-clone worktree add ../project-4 ' diff --git a/t/t2403-worktree-move.sh b/t/t2403-worktree-move.sh index a4e1a178e0a003..e8246eed9c6047 100755 --- a/t/t2403-worktree-move.sh +++ b/t/t2403-worktree-move.sh @@ -138,7 +138,8 @@ test_expect_success 'move a repo with uninitialized submodule' ' ( cd withsub && test_commit initial && - git submodule add "$PWD"/.git sub && + git -c protocol.file.allow=always \ + submodule add "$PWD"/.git sub && git commit -m withsub && git worktree add second HEAD && git worktree move second third @@ -148,7 +149,7 @@ test_expect_success 'move a repo with uninitialized submodule' ' test_expect_success 'not move a repo with initialized submodule' ' ( cd withsub && - git -C third submodule update && + git -c protocol.file.allow=always -C third submodule update && test_must_fail git worktree move third forth ) ' @@ -227,6 +228,7 @@ test_expect_success 'remove cleans up .git/worktrees when empty' ' ' test_expect_success 'remove a repo with uninitialized submodule' ' + test_config_global protocol.file.allow always && ( cd withsub && git worktree add to-remove HEAD && @@ -235,6 +237,7 @@ test_expect_success 'remove a repo with uninitialized submodule' ' ' test_expect_success 'not remove a repo with initialized submodule' ' + test_config_global protocol.file.allow always && ( cd withsub && git worktree add to-remove HEAD && diff --git a/t/t2405-worktree-submodule.sh b/t/t2405-worktree-submodule.sh index e1b2bfd87e0d59..51120d5debe9ec 100755 --- a/t/t2405-worktree-submodule.sh +++ b/t/t2405-worktree-submodule.sh @@ -7,6 +7,7 @@ test_description='Combination of submodules and multiple worktrees' base_path=$(pwd -P) test_expect_success 'setup: create origin repos' ' + git config --global protocol.file.allow always && git init origin/sub && test_commit -C origin/sub file1 && git init origin/main && From f8d510ed0b357787c8d035d64f240bd82b424dc4 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:20:28 -0400 Subject: [PATCH 05/33] t/t3NNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Tests that interact with submodules a handful of times use `test_config_global` instead. Test scripts that rely on submodules throughout use a `git config --global` during a setup test towards the beginning of the script. Signed-off-by: Taylor Blau --- t/t3200-branch.sh | 1 + t/t3420-rebase-autostash.sh | 2 +- t/t3426-rebase-submodule.sh | 3 ++- t/t3512-cherry-pick-submodule.sh | 2 ++ t/t3600-rm.sh | 3 ++- t/t3906-stash-submodule.sh | 2 +- 6 files changed, 9 insertions(+), 4 deletions(-) diff --git a/t/t3200-branch.sh b/t/t3200-branch.sh index 3ec3e1d7303399..631a0b506af5c3 100755 --- a/t/t3200-branch.sh +++ b/t/t3200-branch.sh @@ -279,6 +279,7 @@ test_expect_success 'deleting checked-out branch from repo that is a submodule' git init repo1 && git init repo1/sub && test_commit -C repo1/sub x && + test_config_global protocol.file.allow always && git -C repo1 submodule add ./sub && git -C repo1 commit -m "adding sub" && diff --git a/t/t3420-rebase-autostash.sh b/t/t3420-rebase-autostash.sh index ca331733fbb58e..80df13a9a90d46 100755 --- a/t/t3420-rebase-autostash.sh +++ b/t/t3420-rebase-autostash.sh @@ -307,7 +307,7 @@ test_expect_success 'autostash is saved on editor failure with conflict' ' test_expect_success 'autostash with dirty submodules' ' test_when_finished "git reset --hard && git checkout master" && git checkout -b with-submodule && - git submodule add ./ sub && + git -c protocol.file.allow=always submodule add ./ sub && test_tick && git commit -m add-submodule && echo changed >sub/file0 && diff --git a/t/t3426-rebase-submodule.sh b/t/t3426-rebase-submodule.sh index 0ad3a07bf47093..fb21f675bb94c1 100755 --- a/t/t3426-rebase-submodule.sh +++ b/t/t3426-rebase-submodule.sh @@ -47,7 +47,8 @@ test_expect_success 'rebase interactive ignores modified submodules' ' git init sub && git -C sub commit --allow-empty -m "Initial commit" && git init super && - git -C super submodule add ../sub && + git -c protocol.file.allow=always \ + -C super submodule add ../sub && git -C super config submodule.sub.ignore dirty && >super/foo && git -C super add foo && diff --git a/t/t3512-cherry-pick-submodule.sh b/t/t3512-cherry-pick-submodule.sh index 6ece1d85736ade..697bc689587f7c 100755 --- a/t/t3512-cherry-pick-submodule.sh +++ b/t/t3512-cherry-pick-submodule.sh @@ -10,6 +10,8 @@ KNOWN_FAILURE_NOFF_MERGE_ATTEMPTS_TO_MERGE_REMOVED_SUBMODULE_FILES=1 test_submodule_switch "cherry-pick" test_expect_success 'unrelated submodule/file conflict is ignored' ' + test_config_global protocol.file.allow always && + test_create_repo sub && touch sub/file && diff --git a/t/t3600-rm.sh b/t/t3600-rm.sh index efec8d13b66182..99dab763325d9c 100755 --- a/t/t3600-rm.sh +++ b/t/t3600-rm.sh @@ -321,7 +321,7 @@ test_expect_success 'rm removes empty submodules from work tree' ' test_expect_success 'rm removes removed submodule from index and .gitmodules' ' git reset --hard && - git submodule update && + git -c protocol.file.allow=always submodule update && rm -rf submod && git rm submod && git status -s -uno --ignore-submodules=none >actual && @@ -627,6 +627,7 @@ cat >expect.deepmodified < Date: Fri, 29 Jul 2022 15:20:43 -0400 Subject: [PATCH 06/33] t/t4NNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Tests that interact with submodules a handful of times use `test_config_global` instead. Test scripts that rely on submodules throughout use a `git config --global` during a setup test towards the beginning of the script. Signed-off-by: Taylor Blau --- t/t4059-diff-submodule-not-initialized.sh | 2 +- t/t4060-diff-submodule-option-diff-format.sh | 4 ++-- t/t4067-diff-partial-clone.sh | 1 + t/t4208-log-magic-pathspec.sh | 1 + 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/t/t4059-diff-submodule-not-initialized.sh b/t/t4059-diff-submodule-not-initialized.sh index 49bca7b48d910f..d489230df89663 100755 --- a/t/t4059-diff-submodule-not-initialized.sh +++ b/t/t4059-diff-submodule-not-initialized.sh @@ -49,7 +49,7 @@ test_expect_success 'setup - submodules' ' ' test_expect_success 'setup - git submodule add' ' - git submodule add ./sm2 sm1 && + git -c protocol.file.allow=always submodule add ./sm2 sm1 && commit_file sm1 .gitmodules && git diff-tree -p --no-commit-id --submodule=log HEAD -- sm1 >actual && cat >expected <<-EOF && diff --git a/t/t4060-diff-submodule-option-diff-format.sh b/t/t4060-diff-submodule-option-diff-format.sh index fc8229c7260b5c..57b19125c0da28 100755 --- a/t/t4060-diff-submodule-option-diff-format.sh +++ b/t/t4060-diff-submodule-option-diff-format.sh @@ -759,9 +759,9 @@ test_expect_success 'diff --submodule=diff with .git file' ' ' test_expect_success 'setup nested submodule' ' - git submodule add -f ./sm2 && + git -c protocol.file.allow=always submodule add -f ./sm2 && git commit -a -m "add sm2" && - git -C sm2 submodule add ../sm2 nested && + git -c protocol.file.allow=always -C sm2 submodule add ../sm2 nested && git -C sm2 commit -a -m "nested sub" && head10=$(git -C sm2 rev-parse --short --verify HEAD) ' diff --git a/t/t4067-diff-partial-clone.sh b/t/t4067-diff-partial-clone.sh index 804f2a82e8315d..28f42a4046e08e 100755 --- a/t/t4067-diff-partial-clone.sh +++ b/t/t4067-diff-partial-clone.sh @@ -77,6 +77,7 @@ test_expect_success 'diff skips same-OID blobs' ' test_expect_success 'when fetching missing objects, diff skips GITLINKs' ' test_when_finished "rm -rf sub server client trace" && + test_config_global protocol.file.allow always && test_create_repo sub && test_commit -C sub first && diff --git a/t/t4208-log-magic-pathspec.sh b/t/t4208-log-magic-pathspec.sh index 6cdbe4747aa837..aeaf0d5ba35312 100755 --- a/t/t4208-log-magic-pathspec.sh +++ b/t/t4208-log-magic-pathspec.sh @@ -126,6 +126,7 @@ test_expect_success 'command line pathspec parsing for "git log"' ' test_expect_success 'tree_entry_interesting does not match past submodule boundaries' ' test_when_finished "rm -rf repo submodule" && + test_config_global protocol.file.allow always && git init submodule && test_commit -C submodule initial && git init repo && From 225d2d50ccef4baae410a96b9dc9e3978d164826 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:21:06 -0400 Subject: [PATCH 07/33] t/t5NNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Tests that interact with submodules a handful of times use `test_config_global` instead. Test scripts that rely on submodules throughout use a `git config --global` during a setup test towards the beginning of the script. Signed-off-by: Taylor Blau --- t/t5510-fetch.sh | 1 + t/t5526-fetch-submodules.sh | 1 + t/t5545-push-options.sh | 1 + t/t5572-pull-submodule.sh | 4 ++++ t/t5601-clone.sh | 1 + t/t5614-clone-submodules-shallow.sh | 8 ++++++++ t/t5616-partial-clone.sh | 2 ++ t/t5617-clone-submodules-remote.sh | 1 + 8 files changed, 19 insertions(+) diff --git a/t/t5510-fetch.sh b/t/t5510-fetch.sh index 2013051a64eae5..b60ba0f7882223 100755 --- a/t/t5510-fetch.sh +++ b/t/t5510-fetch.sh @@ -627,6 +627,7 @@ test_expect_success 'fetch.writeCommitGraph' ' ' test_expect_success 'fetch.writeCommitGraph with submodules' ' + test_config_global protocol.file.allow always && git clone dups super && ( cd super && diff --git a/t/t5526-fetch-submodules.sh b/t/t5526-fetch-submodules.sh index 53d7b8ed7571f5..aa04eacb652d90 100755 --- a/t/t5526-fetch-submodules.sh +++ b/t/t5526-fetch-submodules.sh @@ -35,6 +35,7 @@ add_upstream_commit() { } test_expect_success setup ' + git config --global protocol.file.allow always && mkdir deepsubmodule && ( cd deepsubmodule && diff --git a/t/t5545-push-options.sh b/t/t5545-push-options.sh index 38e6f7340e7447..77ce917cdd8be5 100755 --- a/t/t5545-push-options.sh +++ b/t/t5545-push-options.sh @@ -113,6 +113,7 @@ test_expect_success 'push options and submodules' ' test_commit -C parent one && git -C parent push --mirror up && + test_config_global protocol.file.allow always && git -C parent submodule add ../upstream workbench && git -C parent/workbench remote add up ../../upstream && git -C parent commit -m "add submodule" && diff --git a/t/t5572-pull-submodule.sh b/t/t5572-pull-submodule.sh index 37fd06b0be8f48..9b3b4af6107899 100755 --- a/t/t5572-pull-submodule.sh +++ b/t/t5572-pull-submodule.sh @@ -46,6 +46,10 @@ KNOWN_FAILURE_NOFF_MERGE_DOESNT_CREATE_EMPTY_SUBMODULE_DIR=1 KNOWN_FAILURE_NOFF_MERGE_ATTEMPTS_TO_MERGE_REMOVED_SUBMODULE_FILES=1 test_submodule_switch_func "git_pull_noff" +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'pull --recurse-submodule setup' ' test_create_repo child && test_commit -C child bar && diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 7df3c5373ae605..50d482114d8ac3 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -738,6 +738,7 @@ test_expect_success 'batch missing blob request does not inadvertently try to fe echo aa >server/a && echo bb >server/b && # Also add a gitlink pointing to an arbitrary repository + test_config_global protocol.file.allow always && git -C server submodule add "$(pwd)/repo_for_submodule" c && git -C server add a b c && git -C server commit -m x && diff --git a/t/t5614-clone-submodules-shallow.sh b/t/t5614-clone-submodules-shallow.sh index e4e6ea4d527faa..d361738b515146 100755 --- a/t/t5614-clone-submodules-shallow.sh +++ b/t/t5614-clone-submodules-shallow.sh @@ -24,6 +24,7 @@ test_expect_success 'setup' ' test_expect_success 'nonshallow clone implies nonshallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 3 lines && @@ -33,6 +34,7 @@ test_expect_success 'nonshallow clone implies nonshallow submodule' ' test_expect_success 'shallow clone with shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --depth 2 --shallow-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 2 lines && @@ -42,6 +44,7 @@ test_expect_success 'shallow clone with shallow submodule' ' test_expect_success 'shallow clone does not imply shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --depth 2 "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 2 lines && @@ -51,6 +54,7 @@ test_expect_success 'shallow clone does not imply shallow submodule' ' test_expect_success 'shallow clone with non shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --depth 2 --no-shallow-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 2 lines && @@ -60,6 +64,7 @@ test_expect_success 'shallow clone with non shallow submodule' ' test_expect_success 'non shallow clone with shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --recurse-submodules --no-local --shallow-submodules "file://$pwd/." super_clone && git -C super_clone log --oneline >lines && test_line_count = 3 lines && @@ -69,6 +74,7 @@ test_expect_success 'non shallow clone with shallow submodule' ' test_expect_success 'clone follows shallow recommendation' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git config -f .gitmodules submodule.sub.shallow true && git add .gitmodules && git commit -m "recommend shallow for sub" && @@ -87,6 +93,7 @@ test_expect_success 'clone follows shallow recommendation' ' test_expect_success 'get unshallow recommended shallow submodule' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git clone --no-local "file://$pwd/." super_clone && ( cd super_clone && @@ -103,6 +110,7 @@ test_expect_success 'get unshallow recommended shallow submodule' ' test_expect_success 'clone follows non shallow recommendation' ' test_when_finished "rm -rf super_clone" && + test_config_global protocol.file.allow always && git config -f .gitmodules submodule.sub.shallow false && git add .gitmodules && git commit -m "recommend non shallow for sub" && diff --git a/t/t5616-partial-clone.sh b/t/t5616-partial-clone.sh index d98c5502671591..a6138e8cfc334d 100755 --- a/t/t5616-partial-clone.sh +++ b/t/t5616-partial-clone.sh @@ -171,6 +171,8 @@ test_expect_success 'partial clone with transfer.fsckobjects=1 works with submod test_config -C src_with_sub uploadpack.allowfilter 1 && test_config -C src_with_sub uploadpack.allowanysha1inwant 1 && + test_config_global protocol.file.allow always && + git -C src_with_sub submodule add "file://$(pwd)/submodule" mysub && git -C src_with_sub commit -m "commit with submodule" && diff --git a/t/t5617-clone-submodules-remote.sh b/t/t5617-clone-submodules-remote.sh index 1a041df10bee55..0152dc04400fff 100755 --- a/t/t5617-clone-submodules-remote.sh +++ b/t/t5617-clone-submodules-remote.sh @@ -7,6 +7,7 @@ test_description='Test cloning repos with submodules using remote-tracking branc pwd=$(pwd) test_expect_success 'setup' ' + git config --global protocol.file.allow always && git checkout -b master && test_commit commit1 && mkdir sub && From 0f21b8f468566b991eea60bb7bdf2fce9265e367 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:21:18 -0400 Subject: [PATCH 08/33] t/t6NNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Signed-off-by: Taylor Blau --- t/t6008-rev-list-submodule.sh | 2 +- t/t6134-pathspec-in-submodule.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t6008-rev-list-submodule.sh b/t/t6008-rev-list-submodule.sh index c4af9ca0a7edf6..a65e5f283ccad1 100755 --- a/t/t6008-rev-list-submodule.sh +++ b/t/t6008-rev-list-submodule.sh @@ -23,7 +23,7 @@ test_expect_success 'setup' ' : > super-file && git add super-file && - git submodule add "$(pwd)" sub && + git -c protocol.file.allow=always submodule add "$(pwd)" sub && git symbolic-ref HEAD refs/heads/super && test_tick && git commit -m super-initial && diff --git a/t/t6134-pathspec-in-submodule.sh b/t/t6134-pathspec-in-submodule.sh index c670668409817c..2fde65b4311337 100755 --- a/t/t6134-pathspec-in-submodule.sh +++ b/t/t6134-pathspec-in-submodule.sh @@ -9,7 +9,7 @@ test_expect_success 'setup a submodule' ' : >pretzel/a && git -C pretzel add a && git -C pretzel commit -m "add a file" -- a && - git submodule add ./pretzel sub && + git -c protocol.file.allow=always submodule add ./pretzel sub && git commit -a -m "add submodule" && git submodule deinit --all ' From 0d3beb71dad7906f576b0de9cea32164549163fe Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:21:40 -0400 Subject: [PATCH 09/33] t/t7NNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Tests that interact with submodules a handful of times use `test_config_global` instead. Test scripts that rely on submodules throughout use a `git config --global` during a setup test towards the beginning of the script. Signed-off-by: Taylor Blau --- t/t7001-mv.sh | 2 ++ t/t7064-wtstatus-pv2.sh | 1 + t/t7300-clean.sh | 1 + t/t7400-submodule-basic.sh | 4 ++++ t/t7403-submodule-sync.sh | 2 ++ t/t7406-submodule-update.sh | 1 + t/t7407-submodule-foreach.sh | 1 + t/t7408-submodule-reference.sh | 4 ++++ t/t7409-submodule-detached-work-tree.sh | 4 ++++ t/t7411-submodule-config.sh | 3 +++ t/t7413-submodule-is-active.sh | 1 + t/t7414-submodule-mistakes.sh | 3 ++- t/t7415-submodule-names.sh | 4 ++++ t/t7416-submodule-dash-url.sh | 4 ++++ t/t7417-submodule-path-url.sh | 4 ++++ t/t7418-submodule-sparse-gitmodules.sh | 4 ++++ t/t7419-submodule-set-branch.sh | 4 ++++ t/t7420-submodule-set-url.sh | 4 ++++ t/t7421-submodule-summary-add.sh | 4 ++++ t/t7506-status-submodule.sh | 2 ++ t/t7507-commit-verbose.sh | 1 + t/t7800-difftool.sh | 1 + t/t7814-grep-recurse-submodules.sh | 4 ++++ 23 files changed, 62 insertions(+), 1 deletion(-) diff --git a/t/t7001-mv.sh b/t/t7001-mv.sh index 63d5f41a124783..6156eeb9ade72c 100755 --- a/t/t7001-mv.sh +++ b/t/t7001-mv.sh @@ -307,6 +307,7 @@ test_expect_success SYMLINKS 'check moved symlink' ' rm -f moved symlink test_expect_success 'setup submodule' ' + test_config_global protocol.file.allow always && git commit -m initial && git reset --hard && git submodule add ./. sub && @@ -513,6 +514,7 @@ test_expect_success 'moving a submodule in nested directories' ' ' test_expect_success 'moving nested submodules' ' + test_config_global protocol.file.allow always && git commit -am "cleanup commit" && mkdir sub_nested_nested && (cd sub_nested_nested && diff --git a/t/t7064-wtstatus-pv2.sh b/t/t7064-wtstatus-pv2.sh index 601b47830bf520..2fdb6ecc172cf3 100755 --- a/t/t7064-wtstatus-pv2.sh +++ b/t/t7064-wtstatus-pv2.sh @@ -462,6 +462,7 @@ test_expect_success 'create and add submodule, submodule appears clean (A. S...) git checkout initial-branch && git clone . sub_repo && git clone . super_repo && + test_config_global protocol.file.allow always && ( cd super_repo && git submodule add ../sub_repo sub1 && diff --git a/t/t7300-clean.sh b/t/t7300-clean.sh index cb5e34d94c3a16..713f113a4a748f 100755 --- a/t/t7300-clean.sh +++ b/t/t7300-clean.sh @@ -480,6 +480,7 @@ test_expect_success 'should not clean submodules' ' git init && test_commit msg hello.world ) && + test_config_global protocol.file.allow always && git submodule add ./repo/.git sub1 && git commit -m "sub1" && git branch before_sub2 && diff --git a/t/t7400-submodule-basic.sh b/t/t7400-submodule-basic.sh index fec7e0299dec26..bf1a4dfadb1682 100755 --- a/t/t7400-submodule-basic.sh +++ b/t/t7400-submodule-basic.sh @@ -11,6 +11,10 @@ subcommands of git submodule. . ./test-lib.sh +test_expect_success 'setup - enable local submodules' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule deinit works on empty repository' ' git submodule deinit --all ' diff --git a/t/t7403-submodule-sync.sh b/t/t7403-submodule-sync.sh index 0726799e74e7a5..3bc904bacbc716 100755 --- a/t/t7403-submodule-sync.sh +++ b/t/t7403-submodule-sync.sh @@ -11,6 +11,8 @@ These tests exercise the "git submodule sync" subcommand. . ./test-lib.sh test_expect_success setup ' + git config --global protocol.file.allow always && + echo file >file && git add file && test_tick && diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh index acb8766ac260a6..328b9b70129591 100755 --- a/t/t7406-submodule-update.sh +++ b/t/t7406-submodule-update.sh @@ -22,6 +22,7 @@ compare_head() test_expect_success 'setup a submodule tree' ' + git config --global protocol.file.allow always && echo file > file && git add file && test_tick && diff --git a/t/t7407-submodule-foreach.sh b/t/t7407-submodule-foreach.sh index 6b2aa917e11871..a3404ac3306e25 100755 --- a/t/t7407-submodule-foreach.sh +++ b/t/t7407-submodule-foreach.sh @@ -13,6 +13,7 @@ that are currently checked out. test_expect_success 'setup a submodule tree' ' + git config --global protocol.file.allow always && echo file > file && git add file && test_tick && diff --git a/t/t7408-submodule-reference.sh b/t/t7408-submodule-reference.sh index a3892f494b68c8..02feb857796268 100755 --- a/t/t7408-submodule-reference.sh +++ b/t/t7408-submodule-reference.sh @@ -17,6 +17,10 @@ test_alternate_is_used () { test_cmp expect actual } +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'preparing first repository' ' test_create_repo A && ( diff --git a/t/t7409-submodule-detached-work-tree.sh b/t/t7409-submodule-detached-work-tree.sh index fc018e3638a8be..e12eed5a30135c 100755 --- a/t/t7409-submodule-detached-work-tree.sh +++ b/t/t7409-submodule-detached-work-tree.sh @@ -12,6 +12,10 @@ on detached working trees TEST_NO_CREATE_REPO=1 . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule on detached working tree' ' git init --bare remote && test_create_repo bundle1 && diff --git a/t/t7411-submodule-config.sh b/t/t7411-submodule-config.sh index ad28e9388053c4..c583c4e373ad0d 100755 --- a/t/t7411-submodule-config.sh +++ b/t/t7411-submodule-config.sh @@ -12,6 +12,9 @@ from the database and from the worktree works. TEST_NO_CREATE_REPO=1 . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' test_expect_success 'submodule config cache setup' ' mkdir submodule && (cd submodule && diff --git a/t/t7413-submodule-is-active.sh b/t/t7413-submodule-is-active.sh index c8e7e983317610..c8b5ac2928f5a9 100755 --- a/t/t7413-submodule-is-active.sh +++ b/t/t7413-submodule-is-active.sh @@ -9,6 +9,7 @@ submodules which are "active" and interesting to the user. . ./test-lib.sh test_expect_success 'setup' ' + git config --global protocol.file.allow always && git init sub && test_commit -C sub initial && git init super && diff --git a/t/t7414-submodule-mistakes.sh b/t/t7414-submodule-mistakes.sh index f2e7df59cf24c2..cf95603d7d7204 100755 --- a/t/t7414-submodule-mistakes.sh +++ b/t/t7414-submodule-mistakes.sh @@ -30,7 +30,8 @@ test_expect_success 'no warning when updating entry' ' test_expect_success 'submodule add does not warn' ' test_when_finished "git rm -rf submodule .gitmodules" && - git submodule add ./embed submodule 2>stderr && + git -c protocol.file.allow=always \ + submodule add ./embed submodule 2>stderr && test_i18ngrep ! warning stderr ' diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh index f70368bc2e9d42..f37456f15b260f 100755 --- a/t/t7415-submodule-names.sh +++ b/t/t7415-submodule-names.sh @@ -8,6 +8,10 @@ real-world setup that confirms we catch this in practice. . ./test-lib.sh . "$TEST_DIRECTORY"/lib-pack.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'check names' ' cat >expect <<-\EOF && valid diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh index d21dc8b009f6d0..3ebd98598144c9 100755 --- a/t/t7416-submodule-dash-url.sh +++ b/t/t7416-submodule-dash-url.sh @@ -3,6 +3,10 @@ test_description='check handling of disallowed .gitmodule urls' . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'create submodule with protected dash in url' ' git init upstream && git -C upstream commit --allow-empty -m base && diff --git a/t/t7417-submodule-path-url.sh b/t/t7417-submodule-path-url.sh index f7e7e94d7b6cfe..b17d18034a3b12 100755 --- a/t/t7417-submodule-path-url.sh +++ b/t/t7417-submodule-path-url.sh @@ -3,6 +3,10 @@ test_description='check handling of .gitmodule path with dash' . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'create submodule with dash in path' ' git init upstream && git -C upstream commit --allow-empty -m base && diff --git a/t/t7418-submodule-sparse-gitmodules.sh b/t/t7418-submodule-sparse-gitmodules.sh index 3f7f27188313fb..16331c34c44641 100755 --- a/t/t7418-submodule-sparse-gitmodules.sh +++ b/t/t7418-submodule-sparse-gitmodules.sh @@ -14,6 +14,10 @@ also by committing .gitmodules and then just removing it from the filesystem. . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'sparse checkout setup which hides .gitmodules' ' git init upstream && git init submodule && diff --git a/t/t7419-submodule-set-branch.sh b/t/t7419-submodule-set-branch.sh index 3b925c302fc4e2..5357093e98ffbd 100755 --- a/t/t7419-submodule-set-branch.sh +++ b/t/t7419-submodule-set-branch.sh @@ -12,6 +12,10 @@ as expected. TEST_NO_CREATE_REPO=1 . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule config cache setup' ' mkdir submodule && (cd submodule && diff --git a/t/t7420-submodule-set-url.sh b/t/t7420-submodule-set-url.sh index ef0cb6e8e18537..d6bf62b3ac670f 100755 --- a/t/t7420-submodule-set-url.sh +++ b/t/t7420-submodule-set-url.sh @@ -12,6 +12,10 @@ as expected. TEST_NO_CREATE_REPO=1 . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule config cache setup' ' mkdir submodule && ( diff --git a/t/t7421-submodule-summary-add.sh b/t/t7421-submodule-summary-add.sh index b070f13714a7ee..ce64d8b1372173 100755 --- a/t/t7421-submodule-summary-add.sh +++ b/t/t7421-submodule-summary-add.sh @@ -12,6 +12,10 @@ while making sure to add submodules using `git submodule add` instead of . ./test-lib.sh +test_expect_success 'setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'summary test environment setup' ' git init sm && test_commit -C sm "add file" file file-content file-tag && diff --git a/t/t7506-status-submodule.sh b/t/t7506-status-submodule.sh index 3fcb44767f5105..459300c40bb211 100755 --- a/t/t7506-status-submodule.sh +++ b/t/t7506-status-submodule.sh @@ -251,6 +251,7 @@ test_expect_success 'status with merge conflict in .gitmodules' ' test_create_repo_with_commit sub1 && test_tick && test_create_repo_with_commit sub2 && + test_config_global protocol.file.allow always && ( cd super && prev=$(git rev-parse HEAD) && @@ -326,6 +327,7 @@ test_expect_success 'diff --submodule with merge conflict in .gitmodules' ' # sub2 will have an untracked file # sub3 will have an untracked repository test_expect_success 'setup superproject with untracked file in nested submodule' ' + test_config_global protocol.file.allow always && ( cd super && git clean -dfx && diff --git a/t/t7507-commit-verbose.sh b/t/t7507-commit-verbose.sh index ed2653d46fe6cd..bd0ae4b1eabab4 100755 --- a/t/t7507-commit-verbose.sh +++ b/t/t7507-commit-verbose.sh @@ -74,6 +74,7 @@ test_expect_success 'diff in message is retained with -v' ' test_expect_success 'submodule log is stripped out too with -v' ' git config diff.submodule log && + test_config_global protocol.file.allow always && git submodule add ./. sub && git commit -m "sub added" && ( diff --git a/t/t7800-difftool.sh b/t/t7800-difftool.sh index a578b35761f2e9..cca50697b5166e 100755 --- a/t/t7800-difftool.sh +++ b/t/t7800-difftool.sh @@ -626,6 +626,7 @@ test_expect_success 'difftool --no-symlinks detects conflict ' ' test_expect_success 'difftool properly honors gitlink and core.worktree' ' test_when_finished rm -rf submod/ule && + test_config_global protocol.file.allow always && git submodule add ./. submod/ule && test_config -C submod/ule diff.tool checktrees && test_config -C submod/ule difftool.checktrees.cmd '\'' diff --git a/t/t7814-grep-recurse-submodules.sh b/t/t7814-grep-recurse-submodules.sh index 828cb3ba5818fd..f465c0d1403c97 100755 --- a/t/t7814-grep-recurse-submodules.sh +++ b/t/t7814-grep-recurse-submodules.sh @@ -193,6 +193,7 @@ test_expect_success !MINGW 'grep recurse submodule colon in name' ' git -C "su:b" commit -m "add fi:le" && test_tick && + test_config_global protocol.file.allow always && git -C parent submodule add "../su:b" "su:b" && git -C parent commit -m "add submodule" && test_tick && @@ -227,6 +228,7 @@ test_expect_success 'grep history with moved submoules' ' git -C sub commit -m "add file" && test_tick && + test_config_global protocol.file.allow always && git -C parent submodule add ../sub dir/sub && git -C parent commit -m "add submodule" && test_tick && @@ -271,6 +273,7 @@ test_expect_success 'grep using relative path' ' mkdir parent/src && echo "(1|2)d(3|4)" >parent/src/file2 && git -C parent add src/file2 && + test_config_global protocol.file.allow always && git -C parent submodule add ../sub && git -C parent commit -m "add files and submodule" && test_tick && @@ -313,6 +316,7 @@ test_expect_success 'grep from a subdir' ' mkdir parent/src && echo "(1|2)d(3|4)" >parent/src/file && git -C parent add src/file && + test_config_global protocol.file.allow always && git -C parent submodule add ../sub src/sub && git -C parent submodule add ../sub sub && git -C parent commit -m "add files and submodules" && From f4a32a550f9d40471fb42ed1e5c8612dfe4a83b1 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:21:53 -0400 Subject: [PATCH 10/33] t/t9NNN: allow local submodules To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that interact with submodules a handful of times use `test_config_global`. Signed-off-by: Taylor Blau --- t/t9304-fast-import-marks.sh | 1 + t/t9350-fast-export.sh | 2 ++ 2 files changed, 3 insertions(+) diff --git a/t/t9304-fast-import-marks.sh b/t/t9304-fast-import-marks.sh index d4359dba21c9cf..73f3ca2b115015 100755 --- a/t/t9304-fast-import-marks.sh +++ b/t/t9304-fast-import-marks.sh @@ -25,6 +25,7 @@ test_expect_success 'import with large marks file' ' ' test_expect_success 'setup dump with submodule' ' + test_config_global protocol.file.allow always && git submodule add "$PWD" sub && git commit -m "add submodule" && git fast-export HEAD >dump diff --git a/t/t9350-fast-export.sh b/t/t9350-fast-export.sh index 137284255998dd..703428fd0a3f39 100755 --- a/t/t9350-fast-export.sh +++ b/t/t9350-fast-export.sh @@ -265,6 +265,7 @@ test_expect_success 'signed-tags=warn-strip' ' test_expect_success 'setup submodule' ' + test_config_global protocol.file.allow always && git checkout -f master && mkdir sub && ( @@ -290,6 +291,7 @@ test_expect_success 'setup submodule' ' test_expect_success 'submodule fast-export | fast-import' ' + test_config_global protocol.file.allow always && SUBENT1=$(git ls-tree master^ sub) && SUBENT2=$(git ls-tree master sub) && rm -rf new && From a1d4f67c12ac172f835e6d5e4e0a197075e2146b Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 29 Jul 2022 15:22:13 -0400 Subject: [PATCH 11/33] transport: make `protocol.file.allow` be "user" by default An earlier patch discussed and fixed a scenario where Git could be used as a vector to exfiltrate sensitive data through a Docker container when a potential victim clones a suspicious repository with local submodules that contain symlinks. That security hole has since been plugged, but a similar one still exists. Instead of convincing a would-be victim to clone an embedded submodule via the "file" protocol, an attacker could convince an individual to clone a repository that has a submodule pointing to a valid path on the victim's filesystem. For example, if an individual (with username "foo") has their home directory ("/home/foo") stored as a Git repository, then an attacker could exfiltrate data by convincing a victim to clone a malicious repository containing a submodule pointing at "/home/foo/.git" with `--recurse-submodules`. Doing so would expose any sensitive contents in stored in "/home/foo" tracked in Git. For systems (such as Docker) that consider everything outside of the immediate top-level working directory containing a Dockerfile as inaccessible to the container (with the exception of volume mounts, and so on), this is a violation of trust by exposing unexpected contents in the working copy. To mitigate the likelihood of this kind of attack, adjust the "file://" protocol's default policy to be "user" to prevent commands that execute without user input (including recursive submodule initialization) from taking place by default. Suggested-by: Jeff King Signed-off-by: Taylor Blau --- Documentation/config/protocol.txt | 6 +++--- transport.c | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Documentation/config/protocol.txt b/Documentation/config/protocol.txt index 756591d77b080c..799389132f07b5 100644 --- a/Documentation/config/protocol.txt +++ b/Documentation/config/protocol.txt @@ -1,10 +1,10 @@ protocol.allow:: If set, provide a user defined default policy for all protocols which don't explicitly have a policy (`protocol..allow`). By default, - if unset, known-safe protocols (http, https, git, ssh, file) have a + if unset, known-safe protocols (http, https, git, ssh) have a default policy of `always`, known-dangerous protocols (ext) have a - default policy of `never`, and all other protocols have a default - policy of `user`. Supported policies: + default policy of `never`, and all other protocols (including file) + have a default policy of `user`. Supported policies: + -- diff --git a/transport.c b/transport.c index 679a35e7c1b616..d2e3a90de16651 100644 --- a/transport.c +++ b/transport.c @@ -964,8 +964,7 @@ static enum protocol_allow_config get_protocol_config(const char *type) if (!strcmp(type, "http") || !strcmp(type, "https") || !strcmp(type, "git") || - !strcmp(type, "ssh") || - !strcmp(type, "file")) + !strcmp(type, "ssh")) return PROTOCOL_ALLOW_ALWAYS; /* known scary; err on the side of caution */ From 32696a4cbe90929ae79ea442f5102c513ce3dfaa Mon Sep 17 00:00:00 2001 From: Jeff King Date: Wed, 28 Sep 2022 18:50:36 -0400 Subject: [PATCH 12/33] shell: add basic tests We have no tests of even basic functionality of git-shell. Let's add a couple of obvious ones. This will serve as a framework for adding tests for new things we fix, as well as making sure we don't screw anything up too badly while doing so. Signed-off-by: Jeff King Signed-off-by: Taylor Blau --- t/t9850-shell.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100755 t/t9850-shell.sh diff --git a/t/t9850-shell.sh b/t/t9850-shell.sh new file mode 100755 index 00000000000000..2af476c3afcf0a --- /dev/null +++ b/t/t9850-shell.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +test_description='git shell tests' +. ./test-lib.sh + +test_expect_success 'shell allows upload-pack' ' + printf 0000 >input && + git upload-pack . expect && + git shell -c "git-upload-pack $SQ.$SQ" actual && + test_cmp expect actual +' + +test_expect_success 'shell forbids other commands' ' + test_must_fail git shell -c "git config foo.bar baz" +' + +test_expect_success 'shell forbids interactive use by default' ' + test_must_fail git shell +' + +test_expect_success 'shell allows interactive command' ' + mkdir git-shell-commands && + write_script git-shell-commands/ping <<-\EOF && + echo pong + EOF + echo pong >expect && + echo ping | git shell >actual && + test_cmp expect actual +' + +test_done From 71ad7fe1bcec2a115bd0ab187240348358aa7f21 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Wed, 28 Sep 2022 18:52:48 -0400 Subject: [PATCH 13/33] shell: limit size of interactive commands When git-shell is run in interactive mode (which must be enabled by creating $HOME/git-shell-commands), it reads commands from stdin, one per line, and executes them. We read the commands with git_read_line_interactively(), which uses a strbuf under the hood. That means we'll accept an input of arbitrary size (limited only by how much heap we can allocate). That creates two problems: - the rest of the code is not prepared to handle large inputs. The most serious issue here is that split_cmdline() uses "int" for most of its types, which can lead to integer overflow and out-of-bounds array reads and writes. But even with that fixed, we assume that we can feed the command name to snprintf() (via xstrfmt()), which is stuck for historical reasons using "int", and causes it to fail (and even trigger a BUG() call). - since the point of git-shell is to take input from untrusted or semi-trusted clients, it's a mild denial-of-service. We'll allocate as many bytes as the client sends us (actually twice as many, since we immediately duplicate the buffer). We can fix both by just limiting the amount of per-command input we're willing to receive. We should also fix split_cmdline(), of course, which is an accident waiting to happen, but that can come on top. Most calls to split_cmdline(), including the other one in git-shell, are OK because they are reading from an OS-provided argv, which is limited in practice. This patch should eliminate the immediate vulnerabilities. I picked 4MB as an arbitrary limit. It's big enough that nobody should ever run into it in practice (since the point is to run the commands via exec, we're subject to OS limits which are typically much lower). But it's small enough that allocating it isn't that big a deal. The code is mostly just swapping out fgets() for the strbuf call, but we have to add a few niceties like flushing and trimming line endings. We could simplify things further by putting the buffer on the stack, but 4MB is probably a bit much there. Note that we'll _always_ allocate 4MB, which for normal, non-malicious requests is more than we would before this patch. But on the other hand, other git programs are happy to use 96MB for a delta cache. And since we'd never touch most of those pages, on a lazy-allocating OS like Linux they won't even get allocated to actual RAM. The ideal would be a version of strbuf_getline() that accepted a maximum value. But for a minimal vulnerability fix, let's keep things localized and simple. We can always refactor further on top. The included test fails in an obvious way with ASan or UBSan (which notice the integer overflow and out-of-bounds reads). Without them, it fails in a less obvious way: we may segfault, or we may try to xstrfmt() a long string, leading to a BUG(). Either way, it fails reliably before this patch, and passes with it. Note that we don't need an EXPENSIVE prereq on it. It does take 10-15s to fail before this patch, but with the new limit, we fail almost immediately (and the perl process generating 2GB of data exits via SIGPIPE). Signed-off-by: Jeff King Signed-off-by: Taylor Blau --- shell.c | 34 ++++++++++++++++++++++++++++++---- t/t9850-shell.sh | 6 ++++++ 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/shell.c b/shell.c index cef7ffdc9e1d30..02cfd9627fa218 100644 --- a/shell.c +++ b/shell.c @@ -47,6 +47,8 @@ static void cd_to_homedir(void) die("could not chdir to user's home directory"); } +#define MAX_INTERACTIVE_COMMAND (4*1024*1024) + static void run_shell(void) { int done = 0; @@ -67,22 +69,46 @@ static void run_shell(void) run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE); do { - struct strbuf line = STRBUF_INIT; const char *prog; char *full_cmd; char *rawargs; + size_t len; char *split_args; const char **argv; int code; int count; fprintf(stderr, "git> "); - if (git_read_line_interactively(&line) == EOF) { + + /* + * Avoid using a strbuf or git_read_line_interactively() here. + * We don't want to allocate arbitrary amounts of memory on + * behalf of a possibly untrusted client, and we're subject to + * OS limits on command length anyway. + */ + fflush(stdout); + rawargs = xmalloc(MAX_INTERACTIVE_COMMAND); + if (!fgets(rawargs, MAX_INTERACTIVE_COMMAND, stdin)) { fprintf(stderr, "\n"); - strbuf_release(&line); + free(rawargs); break; } - rawargs = strbuf_detach(&line, NULL); + len = strlen(rawargs); + + /* + * If we truncated due to our input buffer size, reject the + * command. That's better than running bogus input, and + * there's a good chance it's just malicious garbage anyway. + */ + if (len >= MAX_INTERACTIVE_COMMAND - 1) + die("invalid command format: input too long"); + + if (len > 0 && rawargs[len - 1] == '\n') { + if (--len > 0 && rawargs[len - 1] == '\r') + --len; + rawargs[len] = '\0'; + } + split_args = xstrdup(rawargs); count = split_cmdline(split_args, &argv); if (count < 0) { diff --git a/t/t9850-shell.sh b/t/t9850-shell.sh index 2af476c3afcf0a..cfc71c3bd43187 100755 --- a/t/t9850-shell.sh +++ b/t/t9850-shell.sh @@ -28,4 +28,10 @@ test_expect_success 'shell allows interactive command' ' test_cmp expect actual ' +test_expect_success 'shell complains of overlong commands' ' + perl -e "print \"a\" x 2**12 for (0..2**19)" | + test_must_fail git shell 2>err && + grep "too long" err +' + test_done From 0ca6ead81edd4fb1984b69aae87c1189e3025530 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 28 Sep 2022 18:53:32 -0400 Subject: [PATCH 14/33] alias.c: reject too-long cmdline strings in split_cmdline() This function improperly uses an int to represent the number of entries in the resulting argument array. This allows a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting argv array is typically passed to execv(), it may be possible to leverage this attack to gain remote code execution on a victim machine. This was almost certainly the case for certain configurations of git-shell until the previous commit limited the size of input it would accept. Other calls to split_cmdline() are typically limited by the size of argv the OS is willing to hand us, so are similarly protected. So this is not strictly fixing a known vulnerability, but is a hardening of the function that is worth doing to protect against possible unknown vulnerabilities. One approach to fixing this would be modifying the signature of `split_cmdline()` to look something like: int split_cmdline(char *cmdline, const char ***argv, size_t *argc); Where the return value of `split_cmdline()` is negative for errors, and zero otherwise. If non-NULL, the `*argc` pointer is modified to contain the size of the `**argv` array. But this implies an absurdly large `argv` array, which more than likely larger than the system's argument limit. So even if split_cmdline() allowed this, it would fail immediately afterwards when we called execv(). So instead of converting all of `split_cmdline()`'s callers to work with `size_t` types in this patch, instead pursue the minimal fix here to prevent ever returning an array with more than INT_MAX entries in it. Signed-off-by: Kevin Backhouse Signed-off-by: Taylor Blau Signed-off-by: Jeff King Signed-off-by: Taylor Blau --- alias.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/alias.c b/alias.c index c4715380205b5f..00abde08173943 100644 --- a/alias.c +++ b/alias.c @@ -46,14 +46,16 @@ void list_aliases(struct string_list *list) #define SPLIT_CMDLINE_BAD_ENDING 1 #define SPLIT_CMDLINE_UNCLOSED_QUOTE 2 +#define SPLIT_CMDLINE_ARGC_OVERFLOW 3 static const char *split_cmdline_errors[] = { N_("cmdline ends with \\"), - N_("unclosed quote") + N_("unclosed quote"), + N_("too many arguments"), }; int split_cmdline(char *cmdline, const char ***argv) { - int src, dst, count = 0, size = 16; + size_t src, dst, count = 0, size = 16; char quoted = 0; ALLOC_ARRAY(*argv, size); @@ -96,6 +98,11 @@ int split_cmdline(char *cmdline, const char ***argv) return -SPLIT_CMDLINE_UNCLOSED_QUOTE; } + if (count >= INT_MAX) { + FREE_AND_NULL(*argv); + return -SPLIT_CMDLINE_ARGC_OVERFLOW; + } + ALLOC_GROW(*argv, count + 1, size); (*argv)[count] = NULL; From 4a7dab5ce429c4a2badbfd49e1f794c1229b20e4 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 15/33] t1092: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t1092 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t1092-sparse-checkout-compatibility.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/t/t1092-sparse-checkout-compatibility.sh b/t/t1092-sparse-checkout-compatibility.sh index e9a815ca7aaaa8..141a7bc65b8361 100755 --- a/t/t1092-sparse-checkout-compatibility.sh +++ b/t/t1092-sparse-checkout-compatibility.sh @@ -390,6 +390,8 @@ test_expect_success 'submodule handling' ' test_all_match git add modules && test_all_match git commit -m "add modules directory" && + test_config_global protocol.file.allow always && + run_on_all git submodule add "$(pwd)/initial-repo" modules/sub && test_all_match git commit -m "add submodule" && From 067aa8fb41d09814d26f82515573b067feba87ba Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:48:56 -0400 Subject: [PATCH 16/33] t2080: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t1092 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t2080-parallel-checkout-basics.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/t/t2080-parallel-checkout-basics.sh b/t/t2080-parallel-checkout-basics.sh index 3e0f8c675f7bf8..393ba3545e71c4 100755 --- a/t/t2080-parallel-checkout-basics.sh +++ b/t/t2080-parallel-checkout-basics.sh @@ -41,6 +41,8 @@ TEST_NO_CREATE_REPO=1 # - m/m (file) # test_expect_success 'setup repo for checkout with various types of changes' ' + test_config_global protocol.file.allow always && + git init sub && ( cd sub && @@ -140,6 +142,7 @@ do esac test_expect_success "$mode checkout on clone" ' + test_config_global protocol.file.allow always && repo=various_${mode}_clone && set_checkout_config $workers $threshold && test_checkout_workers $expected_workers \ From 092d3a2bf97abd6153313686bb2580e6421a1d34 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 17/33] t1092: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t1092 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t1092-sparse-checkout-compatibility.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/t/t1092-sparse-checkout-compatibility.sh b/t/t1092-sparse-checkout-compatibility.sh index 4ba16177528c92..522c760ca89518 100755 --- a/t/t1092-sparse-checkout-compatibility.sh +++ b/t/t1092-sparse-checkout-compatibility.sh @@ -793,6 +793,8 @@ test_expect_success 'submodule handling' ' test_all_match git add modules && test_all_match git commit -m "add modules directory" && + test_config_global protocol.file.allow always && + run_on_all git submodule add "$(pwd)/initial-repo" modules/sub && test_all_match git commit -m "add submodule" && From ef374dd9b8eecaf84458677865732b89948c19be Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:48:56 -0400 Subject: [PATCH 18/33] t2080: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t1092 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t2080-parallel-checkout-basics.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/t/t2080-parallel-checkout-basics.sh b/t/t2080-parallel-checkout-basics.sh index 3e0f8c675f7bf8..393ba3545e71c4 100755 --- a/t/t2080-parallel-checkout-basics.sh +++ b/t/t2080-parallel-checkout-basics.sh @@ -41,6 +41,8 @@ TEST_NO_CREATE_REPO=1 # - m/m (file) # test_expect_success 'setup repo for checkout with various types of changes' ' + test_config_global protocol.file.allow always && + git init sub && ( cd sub && @@ -140,6 +142,7 @@ do esac test_expect_success "$mode checkout on clone" ' + test_config_global protocol.file.allow always && repo=various_${mode}_clone && set_checkout_config $workers $threshold && test_checkout_workers $expected_workers \ From e175fb5767f90291d7156960f4a33d726175fff2 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 19/33] t3207: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t3207 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t3207-branch-submodule.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/t/t3207-branch-submodule.sh b/t/t3207-branch-submodule.sh index cfde6b237f5dc4..fe72b247164e56 100755 --- a/t/t3207-branch-submodule.sh +++ b/t/t3207-branch-submodule.sh @@ -28,6 +28,7 @@ test_no_branch () { } test_expect_success 'setup superproject and submodule' ' + git config --global protocol.file.allow always && mkdir test_dirs && ( cd test_dirs && From c193e6bbee370a2fc4caae81bf4a2c7be122bc3f Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 20/33] t5516: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t5516 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t5516-fetch-push.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/t/t5516-fetch-push.sh b/t/t5516-fetch-push.sh index 4dfb080433e0a0..6d5702fd0e5573 100755 --- a/t/t5516-fetch-push.sh +++ b/t/t5516-fetch-push.sh @@ -216,6 +216,7 @@ test_expect_success 'push with negotiation proceeds anyway even if negotiation f test_expect_success 'push with negotiation does not attempt to fetch submodules' ' mk_empty submodule_upstream && test_commit -C submodule_upstream submodule_commit && + test_config_global protocol.file.allow always && git submodule add ./submodule_upstream submodule && mk_empty testrepo && git push testrepo $the_first_commit:refs/remotes/origin/first_commit && From 59f2f80280860e9796661876b4a2cd673448898d Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 21/33] t5537: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t5537 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t5537-fetch-shallow.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/t/t5537-fetch-shallow.sh b/t/t5537-fetch-shallow.sh index 92948de7a0083b..9573a2655efb9d 100755 --- a/t/t5537-fetch-shallow.sh +++ b/t/t5537-fetch-shallow.sh @@ -162,6 +162,8 @@ test_expect_success 'fetch --update-shallow' ' ' test_expect_success 'fetch --update-shallow into a repo with submodules' ' + test_config_global protocol.file.allow always && + git init a-submodule && test_commit -C a-submodule foo && git init repo-with-sub && From 8a7bfa0fd3af2d39be1a808774005c78575908d1 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 22/33] t7814: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t7814 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t7814-grep-recurse-submodules.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/t/t7814-grep-recurse-submodules.sh b/t/t7814-grep-recurse-submodules.sh index a4476dc4922042..9a23a52ac149de 100755 --- a/t/t7814-grep-recurse-submodules.sh +++ b/t/t7814-grep-recurse-submodules.sh @@ -546,6 +546,7 @@ test_expect_failure 'grep saves textconv cache in the appropriate repository' ' test_expect_success 'grep partially-cloned submodule' ' # Set up clean superproject and submodule for partial cloning. + test_config_global protocol.file.allow always && git init super && git init super/sub && ( From 541607d9348307ac4bc4245a913672eacc4f6e61 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 23/33] t3206: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t3206 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t3206-range-diff.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/t3206-range-diff.sh b/t/t3206-range-diff.sh index d12e4e4cc6c640..03d4df2359e013 100755 --- a/t/t3206-range-diff.sh +++ b/t/t3206-range-diff.sh @@ -782,7 +782,7 @@ test_expect_success 'submodule changes are shown irrespective of diff.submodule' sub_oid3=$(git -C sub-repo rev-parse HEAD) && git checkout -b main-sub topic && - git submodule add ./sub-repo sub && + git -c protocol.file.allow=always submodule add ./sub-repo sub && git -C sub checkout --detach sub-first && git commit -m "add sub" sub && sup_oid1=$(git rev-parse --short HEAD) && From d9fcaeece2ff946dc3648a22252a92c5400fabe0 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 24/33] t5537: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t5537 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t5537-fetch-shallow.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/t/t5537-fetch-shallow.sh b/t/t5537-fetch-shallow.sh index 10e9a7ff264189..dc7a8242547ffb 100755 --- a/t/t5537-fetch-shallow.sh +++ b/t/t5537-fetch-shallow.sh @@ -175,7 +175,8 @@ test_expect_success 'fetch --update-shallow into a repo with submodules' ' test_expect_success 'fetch --update-shallow a commit that is also a shallow point into a repo with submodules' ' test_when_finished "rm -rf repo-with-sub" && git init repo-with-sub && - git -C repo-with-sub submodule add ../a-submodule a-submodule && + git -c protocol.file.allow=always -C repo-with-sub \ + submodule add ../a-submodule a-submodule && git -C repo-with-sub commit -m "added submodule" && SHALLOW=$(cat shallow/.git/shallow) && From abd4d67ab0f84fff703fa14d9eebfd287b42daeb Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:32:10 -0400 Subject: [PATCH 25/33] Git 2.30.6 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.30.6.txt | 60 +++++++++++++++++++++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.30.6.txt diff --git a/Documentation/RelNotes/2.30.6.txt b/Documentation/RelNotes/2.30.6.txt new file mode 100644 index 00000000000000..d649071b79462b --- /dev/null +++ b/Documentation/RelNotes/2.30.6.txt @@ -0,0 +1,60 @@ +Git v2.30.6 Release Notes +========================= + +This release addresses the security issues CVE-2022-39253 and +CVE-2022-39260. + +Fixes since v2.30.5 +------------------- + + * CVE-2022-39253: + When relying on the `--local` clone optimization, Git dereferences + symbolic links in the source repository before creating hardlinks + (or copies) of the dereferenced link in the destination repository. + This can lead to surprising behavior where arbitrary files are + present in a repository's `$GIT_DIR` when cloning from a malicious + repository. + + Git will no longer dereference symbolic links via the `--local` + clone mechanism, and will instead refuse to clone repositories that + have symbolic links present in the `$GIT_DIR/objects` directory. + + Additionally, the value of `protocol.file.allow` is changed to be + "user" by default. + + * CVE-2022-39260: + An overly-long command string given to `git shell` can result in + overflow in `split_cmdline()`, leading to arbitrary heap writes and + remote code execution when `git shell` is exposed and the directory + `$HOME/git-shell-commands` exists. + + `git shell` is taught to refuse interactive commands that are + longer than 4MiB in size. `split_cmdline()` is hardened to reject + inputs larger than 2GiB. + +Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The +fix was authored by Taylor Blau, with help from Johannes Schindelin. + +Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub. +The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau. + + +Jeff King (2): + shell: add basic tests + shell: limit size of interactive commands + +Kevin Backhouse (1): + alias.c: reject too-long cmdline strings in split_cmdline() + +Taylor Blau (11): + builtin/clone.c: disallow `--local` clones with symlinks + t/lib-submodule-update.sh: allow local submodules + t/t1NNN: allow local submodules + t/2NNNN: allow local submodules + t/t3NNN: allow local submodules + t/t4NNN: allow local submodules + t/t5NNN: allow local submodules + t/t6NNN: allow local submodules + t/t7NNN: allow local submodules + t/t9NNN: allow local submodules + transport: make `protocol.file.allow` be "user" by default diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 39d0c99da6c5c2..40fa0b5255b585 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.30.5 +DEF_VER=v2.30.6 LF=' ' diff --git a/RelNotes b/RelNotes index 406d23844b3572..018a28eb07c759 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.30.5.txt \ No newline at end of file +Documentation/RelNotes/2.30.6.txt \ No newline at end of file From ecf9b4a443ecd2c7dc759e5d18f226694bc3eced Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:56:02 -0400 Subject: [PATCH 26/33] Git 2.31.5 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.31.5.txt | 5 +++++ RelNotes | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 Documentation/RelNotes/2.31.5.txt diff --git a/Documentation/RelNotes/2.31.5.txt b/Documentation/RelNotes/2.31.5.txt new file mode 100644 index 00000000000000..0d87e6e03fc78b --- /dev/null +++ b/Documentation/RelNotes/2.31.5.txt @@ -0,0 +1,5 @@ +Git v2.31.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/RelNotes b/RelNotes index 7ef30395e17a66..6ed6c0c01448ff 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.31.4.txt \ No newline at end of file +Documentation/RelNotes/2.31.5.txt \ No newline at end of file From af778cd9be6307e34f9f900fd42eb826c65b32da Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:00:58 -0400 Subject: [PATCH 27/33] Git 2.32.4 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.32.4.txt | 5 +++++ RelNotes | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 Documentation/RelNotes/2.32.4.txt diff --git a/Documentation/RelNotes/2.32.4.txt b/Documentation/RelNotes/2.32.4.txt new file mode 100644 index 00000000000000..76c67b209ef115 --- /dev/null +++ b/Documentation/RelNotes/2.32.4.txt @@ -0,0 +1,5 @@ +Git v2.32.4 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/RelNotes b/RelNotes index 3bfb2b6297f44a..2626c7807b4af1 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.32.3.txt \ No newline at end of file +Documentation/RelNotes/2.32.4.txt \ No newline at end of file From 7800e1dccf622ba8d490b4c1c92af734be6242ff Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:04:26 -0400 Subject: [PATCH 28/33] Git 2.33.5 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.33.5.txt | 5 +++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.33.5.txt diff --git a/Documentation/RelNotes/2.33.5.txt b/Documentation/RelNotes/2.33.5.txt new file mode 100644 index 00000000000000..a63652602b2cff --- /dev/null +++ b/Documentation/RelNotes/2.33.5.txt @@ -0,0 +1,5 @@ +Git v2.33.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 473746835bf194..d7948f16534a0e 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.33.4 +DEF_VER=v2.33.5 LF=' ' diff --git a/RelNotes b/RelNotes index 6cb6ec27dc967d..9589e5e0e91832 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.33.4.txt \ No newline at end of file +Documentation/RelNotes/2.33.5.txt \ No newline at end of file From be85cfc4dbef9ffa177770f8607fd4a85445565e Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:22:02 -0400 Subject: [PATCH 29/33] Git 2.34.5 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.34.5.txt | 5 +++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.34.5.txt diff --git a/Documentation/RelNotes/2.34.5.txt b/Documentation/RelNotes/2.34.5.txt new file mode 100644 index 00000000000000..0e8999204d457c --- /dev/null +++ b/Documentation/RelNotes/2.34.5.txt @@ -0,0 +1,5 @@ +Git v2.34.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 9e2cf5d43d5f25..87ff922834a11d 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.34.4 +DEF_VER=v2.34.5 LF=' ' diff --git a/RelNotes b/RelNotes index 9041e1b0fefc07..e3bb08499b7a23 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.34.4.txt \ No newline at end of file +Documentation/RelNotes/2.34.5.txt \ No newline at end of file From 868154bb1c08a547afaf74ed8bafdf9bf55d1fd5 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:25:26 -0400 Subject: [PATCH 30/33] Git 2.35.5 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.35.5.txt | 5 +++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.35.5.txt diff --git a/Documentation/RelNotes/2.35.5.txt b/Documentation/RelNotes/2.35.5.txt new file mode 100644 index 00000000000000..e19cc48b334e36 --- /dev/null +++ b/Documentation/RelNotes/2.35.5.txt @@ -0,0 +1,5 @@ +Git v2.35.5 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 676238effd3dbe..97ea90dca54bb7 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.35.4 +DEF_VER=v2.35.5 LF=' ' diff --git a/RelNotes b/RelNotes index b1d7b2b7a879fd..9d822d1b095d88 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.35.4.txt \ No newline at end of file +Documentation/RelNotes/2.35.5.txt \ No newline at end of file From fcdaa211e6127eeba69a121844e08aec67da2131 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 17:37:57 -0400 Subject: [PATCH 31/33] Git 2.36.3 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.36.3.txt | 5 +++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.36.3.txt diff --git a/Documentation/RelNotes/2.36.3.txt b/Documentation/RelNotes/2.36.3.txt new file mode 100644 index 00000000000000..56db77b5bdbd20 --- /dev/null +++ b/Documentation/RelNotes/2.36.3.txt @@ -0,0 +1,5 @@ +Git v2.36.3 Release Notes +========================= + +This release merges the security fix that appears in v2.30.6; see +the release notes for that version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 12f26c83d68016..bb8cba6f163bae 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.36.2 +DEF_VER=v2.36.3 LF=' ' diff --git a/RelNotes b/RelNotes index f4c4f698c1f7c2..1c3d9f780f124f 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.36.2.txt \ No newline at end of file +Documentation/RelNotes/2.36.3.txt \ No newline at end of file From 9a167cb7860d7ae7cd5685434d0194c934800128 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Fri, 30 Sep 2022 16:47:00 -0400 Subject: [PATCH 32/33] t7527: prepare for changing protocol.file.allow Explicitly cloning over the "file://" protocol in t7527 in preparation for merging a security release which will change the default value of this configuration to be "user". Signed-off-by: Taylor Blau --- t/t7527-builtin-fsmonitor.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/t/t7527-builtin-fsmonitor.sh b/t/t7527-builtin-fsmonitor.sh index 56c0dfffea6e73..d419085379ce6c 100755 --- a/t/t7527-builtin-fsmonitor.sh +++ b/t/t7527-builtin-fsmonitor.sh @@ -813,6 +813,10 @@ my_match_and_clean () { git -C super/dir_1/dir_2/sub clean -d -f } +test_expect_success 'submodule setup' ' + git config --global protocol.file.allow always +' + test_expect_success 'submodule always visited' ' test_when_finished "git -C super fsmonitor--daemon stop; \ rm -rf super; \ From 83d5e3341b69b3116675f13d2fab208a12c79e27 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Wed, 5 Oct 2022 20:12:39 -0400 Subject: [PATCH 33/33] Git 2.37.4 Signed-off-by: Taylor Blau --- GIT-VERSION-GEN | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index fb16249620d01d..2b855b6cb7f8b4 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.37.3 +DEF_VER=v2.37.4 LF=' '