From: "Elijah Newren via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Eric Sunshine <sunshine@sunshineco.com>,
Patrick Steinhardt <ps@pks.im>,
Kristoffer Haugsbakk <kristofferhaugsbakk@fastmail.com>,
Jeff King <peff@peff.net>, Elijah Newren <newren@gmail.com>,
Elijah Newren <newren@gmail.com>
Subject: [PATCH v2] fast-import: disallow more path components
Date: Sat, 30 Nov 2024 01:09:29 +0000 [thread overview]
Message-ID: <pull.1832.v2.git.1732928970059.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.1832.git.1732740464398.gitgitgadget@gmail.com>
From: Elijah Newren <newren@gmail.com>
Instead of just disallowing '.' and '..', make use of verify_path() to
ensure that fast-import will disallow anything we wouldn't allow into
the index, such as anything under .git/, .gitmodules as a symlink, or
a dos drive prefix on Windows.
Since a few fast-export and fast-import tests that tried to stress-test
the correct handling of quoting relied on filenames that fail
is_valid_win32_path(), such as spaces or periods at the end of filenames
or backslashes within the filename, turn off core.protectNTFS for those
tests to ensure they keep passing.
Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Elijah Newren <newren@gmail.com>
---
Disallow verify_path() failures from fast-import
Since en/fast-import-path-sanitize has already made it to next, this
commit is based on that. (See
https://lore.kernel.org/git/pull.1831.v2.git.1732561248717.gitgitgadget@gmail.com/
for discussion of that series.)
Changes relative to that commit: this fixes up the error message as
suggested by Kristoffer, and makes the checks more encompassing as
suggested by Patrick and Peff -- in particular, using verify_path() as
suggested by Peff.
Changes since v1:
* Moved the check to a higher level, as suggested by Peff.
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1832%2Fnewren%2Fdisallow-verify-path-fast-import-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1832/newren/disallow-verify-path-fast-import-v2
Pull-Request: https://github.com/gitgitgadget/git/pull/1832
Range-diff vs v1:
1: 2c23d601112 ! 1: 787e9d71ae7 fast-import: disallow more path components
@@ Commit message
or backslashes within the filename, turn off core.protectNTFS for those
tests to ensure they keep passing.
+ Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Elijah Newren <newren@gmail.com>
## builtin/fast-import.c ##
@@ builtin/fast-import.c
#include "refs.h"
#include "csum-file.h"
#include "quote.h"
-@@ builtin/fast-import.c: static int tree_content_set(
- die("Empty path component found in input");
- if (!*slash1 && !S_ISDIR(mode) && subtree)
- die("Non-directories cannot have subtrees");
-+ if (!verify_path(p, mode))
-+ die("invalid path '%s'", p);
-
- if (!root->tree)
- load_tree(root);
@@ builtin/fast-import.c: static int tree_content_set(
root->tree = t = grow_tree_content(t, t->entry_count);
e = new_tree_entry();
@@ builtin/fast-import.c: static int tree_content_set(
e->versions[0].mode = 0;
oidclr(&e->versions[0].oid, the_repository->hash_algo);
t->entries[t->entry_count++] = e;
+@@ builtin/fast-import.c: static void file_change_m(const char *p, struct branch *b)
+ tree_content_replace(&b->branch_tree, &oid, mode, NULL);
+ return;
+ }
++
++ if (!verify_path(path.buf, mode))
++ die("invalid path '%s'", path.buf);
+ tree_content_set(&b->branch_tree, path.buf, &oid, mode, NULL);
+ }
+
+@@ builtin/fast-import.c: static void file_change_cr(const char *p, struct branch *b, int rename)
+ leaf.tree);
+ return;
+ }
++ if (!verify_path(dest.buf, leaf.versions[1].mode))
++ die("invalid path '%s'", dest.buf);
+ tree_content_set(&b->branch_tree, dest.buf,
+ &leaf.versions[1].oid,
+ leaf.versions[1].mode,
## t/t9300-fast-import.sh ##
@@ t/t9300-fast-import.sh: test_expect_success 'B: fail on invalid committer (5)' '
builtin/fast-import.c | 8 +++-
t/t9300-fast-import.sh | 88 ++++++++++++++++++++++++++++++++++++++++--
t/t9350-fast-export.sh | 2 +-
3 files changed, 91 insertions(+), 7 deletions(-)
diff --git a/builtin/fast-import.c b/builtin/fast-import.c
index 3e7ec1f1198..265d1b7d52b 100644
--- a/builtin/fast-import.c
+++ b/builtin/fast-import.c
@@ -13,6 +13,7 @@
#include "delta.h"
#include "pack.h"
#include "path.h"
+#include "read-cache-ll.h"
#include "refs.h"
#include "csum-file.h"
#include "quote.h"
@@ -1468,8 +1469,6 @@ static int tree_content_set(
root->tree = t = grow_tree_content(t, t->entry_count);
e = new_tree_entry();
e->name = to_atom(p, n);
- if (is_dot_or_dotdot(e->name->str_dat))
- die("path %s contains invalid component", p);
e->versions[0].mode = 0;
oidclr(&e->versions[0].oid, the_repository->hash_algo);
t->entries[t->entry_count++] = e;
@@ -2416,6 +2415,9 @@ static void file_change_m(const char *p, struct branch *b)
tree_content_replace(&b->branch_tree, &oid, mode, NULL);
return;
}
+
+ if (!verify_path(path.buf, mode))
+ die("invalid path '%s'", path.buf);
tree_content_set(&b->branch_tree, path.buf, &oid, mode, NULL);
}
@@ -2453,6 +2455,8 @@ static void file_change_cr(const char *p, struct branch *b, int rename)
leaf.tree);
return;
}
+ if (!verify_path(dest.buf, leaf.versions[1].mode))
+ die("invalid path '%s'", dest.buf);
tree_content_set(&b->branch_tree, dest.buf,
&leaf.versions[1].oid,
leaf.versions[1].mode,
diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh
index 5a5127fffa7..e2b1db6bc2f 100755
--- a/t/t9300-fast-import.sh
+++ b/t/t9300-fast-import.sh
@@ -522,7 +522,7 @@ test_expect_success 'B: fail on invalid committer (5)' '
test_must_fail git fast-import <input
'
-test_expect_success 'B: fail on invalid file path' '
+test_expect_success 'B: fail on invalid file path of ..' '
cat >input <<-INPUT_END &&
blob
mark :1
@@ -542,6 +542,86 @@ test_expect_success 'B: fail on invalid file path' '
test_must_fail git fast-import <input
'
+test_expect_success 'B: fail on invalid file path of .' '
+ cat >input <<-INPUT_END &&
+ blob
+ mark :1
+ data <<EOF
+ File contents
+ EOF
+
+ commit refs/heads/badpath
+ committer Name <email> $GIT_COMMITTER_DATE
+ data <<COMMIT
+ Commit Message
+ COMMIT
+ M 100644 :1 ./invalid-path
+ INPUT_END
+
+ test_when_finished "git update-ref -d refs/heads/badpath" &&
+ test_must_fail git fast-import <input
+'
+
+test_expect_success WINDOWS 'B: fail on invalid file path of C:' '
+ cat >input <<-INPUT_END &&
+ blob
+ mark :1
+ data <<EOF
+ File contents
+ EOF
+
+ commit refs/heads/badpath
+ committer Name <email> $GIT_COMMITTER_DATE
+ data <<COMMIT
+ Commit Message
+ COMMIT
+ M 100644 :1 C:/invalid-path
+ INPUT_END
+
+ test_when_finished "git update-ref -d refs/heads/badpath" &&
+ test_must_fail git fast-import <input
+'
+
+test_expect_success 'B: fail on invalid file path of .git' '
+ cat >input <<-INPUT_END &&
+ blob
+ mark :1
+ data <<EOF
+ File contents
+ EOF
+
+ commit refs/heads/badpath
+ committer Name <email> $GIT_COMMITTER_DATE
+ data <<COMMIT
+ Commit Message
+ COMMIT
+ M 100644 :1 .git/invalid-path
+ INPUT_END
+
+ test_when_finished "git update-ref -d refs/heads/badpath" &&
+ test_must_fail git fast-import <input
+'
+
+test_expect_success 'B: fail on invalid file path of .gitmodules' '
+ cat >input <<-INPUT_END &&
+ blob
+ mark :1
+ data <<EOF
+ File contents
+ EOF
+
+ commit refs/heads/badpath
+ committer Name <email> $GIT_COMMITTER_DATE
+ data <<COMMIT
+ Commit Message
+ COMMIT
+ M 120000 :1 .gitmodules
+ INPUT_END
+
+ test_when_finished "git update-ref -d refs/heads/badpath" &&
+ test_must_fail git fast-import <input
+'
+
###
### series C
###
@@ -966,7 +1046,7 @@ test_expect_success 'L: verify internal tree sorting' '
:100644 100644 M ba
EXPECT_END
- git fast-import <input &&
+ git -c core.protectNTFS=false fast-import <input &&
GIT_PRINT_SHA1_ELLIPSIS="yes" git diff-tree --abbrev --raw L^ L >output &&
cut -d" " -f1,2,5 output >actual &&
test_cmp expect actual
@@ -3117,7 +3197,7 @@ test_path_eol_success () {
test_expect_success "S: paths at EOL with $test must work" '
test_when_finished "git branch -D S-path-eol" &&
- git fast-import --export-marks=marks.out <<-EOF >out 2>err &&
+ git -c core.protectNTFS=false fast-import --export-marks=marks.out <<-EOF >out 2>err &&
blob
mark :401
data <<BLOB
@@ -3226,7 +3306,7 @@ test_path_space_success () {
test_expect_success "S: paths before space with $test must work" '
test_when_finished "git branch -D S-path-space" &&
- git fast-import --export-marks=marks.out <<-EOF 2>err &&
+ git -c core.protectNTFS=false fast-import --export-marks=marks.out <<-EOF 2>err &&
blob
mark :401
data <<BLOB
diff --git a/t/t9350-fast-export.sh b/t/t9350-fast-export.sh
index 1eb035ee4ce..bb83e5accd9 100755
--- a/t/t9350-fast-export.sh
+++ b/t/t9350-fast-export.sh
@@ -631,7 +631,7 @@ test_expect_success 'fast-export quotes pathnames' '
git rev-list HEAD >expect &&
git init result &&
cd result &&
- git fast-import <../export.out &&
+ git -c core.protectNTFS=false fast-import <../export.out &&
git rev-list HEAD >actual &&
test_cmp ../expect actual
)
base-commit: 4a2790a257b314ab59f6f2e25f3d7ca120219922
--
gitgitgadget
next prev parent reply other threads:[~2024-11-30 1:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-27 20:47 [PATCH] fast-import: disallow more path components Elijah Newren via GitGitGadget
2024-11-28 0:22 ` Junio C Hamano
2024-11-28 16:12 ` Jeff King
2024-11-30 1:09 ` Elijah Newren via GitGitGadget [this message]
2024-12-01 21:40 ` [PATCH v2] " Jeff King
2024-12-03 8:01 ` Elijah Newren
2024-12-03 21:06 ` [PATCH 2/1] t9300: test verification of renamed paths Jeff King
2024-12-03 22:22 ` Elijah Newren
2024-12-04 0:15 ` Junio C Hamano
2024-12-03 22:17 ` [PATCH v2] fast-import: disallow more path components Junio C Hamano
2024-12-02 1:04 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=pull.1832.v2.git.1732928970059.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=git@vger.kernel.org \
--cc=kristofferhaugsbakk@fastmail.com \
--cc=newren@gmail.com \
--cc=peff@peff.net \
--cc=ps@pks.im \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.