[PATCH v2 0/4] Sanitize sideband channel messages

["Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>]

Git's sideband channel passes server output directly to the client terminal
without sanitization. This includes progress messages, error output, and
diagnostics from remote hooks during clone, fetch, and push operations.

This creates an ANSI escape sequence injection vulnerability (CWE-150
[https://cwe.mitre.org/data/definitions/150.html]). A malicious or
compromised server can corrupt terminal state, obscure information, or
inject characters into the terminal's input buffer. The client has no
mechanism to distinguish between legitimate output and attack sequences.

This series fixes the vulnerability by sanitizing control characters in the
sideband output. ANSI color sequences (SGR codes) pass through by default,
since server-side hooks exist that use these for visibility (e.g.
https://github.com/kikeonline/githook-explode). By default, all other
control characters are rendered in caret notation (e.g., ESC becomes ^[).

Users who need different behavior get configuration options:
sideband.allowControlCharacters provides an escape hatch for environments
that require raw passthrough. The defaults are secure.

Note: This series applies cleanly on v2.47.3.

Changes since v1:

 * Applied the suggestions by Phillip and brian.
 * Rebased onto v2.47.3.
 * Added more categories of ANSI Escape sequences that can be enabled (but
   that are off by default because they could be used to hide information).

Johannes Schindelin (4):
  sideband: mask control characters
  sideband: introduce an "escape hatch" to allow control characters
  sideband: do allow ANSI color sequences by default
  sideband: add options to allow more control sequences to be passed
    through

 Documentation/config.txt            |   2 +
 Documentation/config/sideband.txt   |  24 +++++
 sideband.c                          | 148 +++++++++++++++++++++++++++-
 t/t5409-colorize-remote-messages.sh |  68 +++++++++++++
 4 files changed, 240 insertions(+), 2 deletions(-)
 create mode 100644 Documentation/config/sideband.txt


base-commit: a52a24e03c8c711f1d5e252fba78f9276908129b
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1853%2Fdscho%2Fsanitize-sideband-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1853/dscho/sanitize-sideband-v2
Pull-Request: https://github.com/gitgitgadget/git/pull/1853

Range-diff vs v1:

 1:  f7fb7a3833 ! 1:  8d70476559 sideband: mask control characters
     @@ Commit message
          There is likely a need for more fine-grained controls instead of using a
          "heavy hammer" like this, which will be introduced subsequently.
      
     +    Helped-by: Phillip Wood <phillip.wood@dunelm.org.uk>
          Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      
       ## sideband.c ##
     @@ sideband.c: void list_config_color_sideband_slots(struct string_list *list, cons
      +			strbuf_addch(dest, *src);
      +		else {
      +			strbuf_addch(dest, '^');
     -+			strbuf_addch(dest, 0x40 + *src);
     ++			strbuf_addch(dest, *src == 0x7f ? '?' : 0x40 + *src);
      +		}
      +	}
      +}
     @@ t/t5409-colorize-remote-messages.sh: test_expect_success 'fallback to color.ui'
      +	printf "error: Have you \\033[31mread\\033[m this?\\n" >&2
      +	exec "$@"
      +	EOF
     -+	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
     ++	test_config_global uploadPack.packObjectsHook ./color-me-surprised &&
      +	test_commit need-at-least-one-commit &&
      +	git clone --no-local . throw-away 2>stderr &&
      +	test_decode_color <stderr >decoded &&
 2:  14c612c69a ! 2:  2615abd8c5 sideband: introduce an "escape hatch" to allow control characters
     @@ Commit message
          To help with those use cases, give users a way to opt-out of the
          protections: `sideband.allowControlCharacters`.
      
     +    Suggested-by: brian m. carlson <sandals@crustytoothpaste.net>
          Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      
       ## Documentation/config.txt ##
     @@ sideband.c: void list_config_color_sideband_slots(struct string_list *list, cons
       ## t/t5409-colorize-remote-messages.sh ##
      @@ t/t5409-colorize-remote-messages.sh: test_expect_success 'disallow (color) control sequences in sideband' '
       	EOF
     - 	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
     + 	test_config_global uploadPack.packObjectsHook ./color-me-surprised &&
       	test_commit need-at-least-one-commit &&
      +
       	git clone --no-local . throw-away 2>stderr &&
 3:  a26c4ed6ce ! 3:  44585ba1f4 sideband: do allow ANSI color sequences by default
     @@ Commit message
          to the terminal, and `sideband.allowControlCharacters` to override that
          behavior.
      
     -    However, some `pre-receive` hooks that are actively used in practice
     -    want to color their messages and therefore rely on the fact that Git
     -    passes them through to the terminal.
     +    However, as reported by brian m. carlson, some `pre-receive` hooks that
     +    are actively used in practice want to color their messages and therefore
     +    rely on the fact that Git passes them through to the terminal, even
     +    though they have no way to determine whether the receiving side can
     +    actually handle Escape sequences (think e.g. about the practice
     +    recommended by Git that third-party applications wishing to use Git
     +    functionality parse the output of Git commands).
      
          In contrast to other ANSI escape sequences, it is highly unlikely that
          coloring sequences can be essential tools in attack vectors that mislead
          Git users e.g. by hiding crucial information.
      
          Therefore we can have both: Continue to allow ANSI coloring sequences to
     -    be passed to the terminal, and neutralize all other ANSI escape
     -    sequences.
     +    be passed to the terminal by default, and neutralize all other ANSI
     +    Escape sequences.
      
          Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      
     @@ Documentation/config/sideband.txt
      +	this config setting to override this behavior:
      ++
      +--
     ++	default::
      +	color::
      +		Allow ANSI color sequences, line feeds and horizontal tabs,
      +		but mask all other control characters. This is the default.
     @@ sideband.c: static struct keyword_entry keywords[] = {
      -static int allow_control_characters;
      +static enum {
      +	ALLOW_NO_CONTROL_CHARACTERS = 0,
     -+	ALLOW_ALL_CONTROL_CHARACTERS = 1,
     -+	ALLOW_ANSI_COLOR_SEQUENCES = 2
     ++	ALLOW_ANSI_COLOR_SEQUENCES = 1<<0,
     ++	ALLOW_DEFAULT_ANSI_SEQUENCES = ALLOW_ANSI_COLOR_SEQUENCES,
     ++	ALLOW_ALL_CONTROL_CHARACTERS = 1<<1,
      +} allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
       
       /* Returns a color setting (GIT_COLOR_NEVER, etc). */
     @@ sideband.c: static int use_sideband_colors(void)
      +		if (git_config_get_string_tmp("sideband.allowcontrolcharacters",
      +					      &value))
      +			; /* huh? `get_maybe_bool()` returned -1 */
     ++		else if (!strcmp(value, "default"))
     ++			allow_control_characters = ALLOW_DEFAULT_ANSI_SEQUENCES;
      +		else if (!strcmp(value, "color"))
      +			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
      +		else
     @@ sideband.c: void list_config_color_sideband_slots(struct string_list *list, cons
      +	 * Valid ANSI color sequences are of the form
      +	 *
      +	 * ESC [ [<n> [; <n>]*] m
     ++	 *
     ++	 * These are part of the Select Graphic Rendition sequences which
     ++	 * contain more than just color sequences, for more details see
     ++	 * https://en.wikipedia.org/wiki/ANSI_escape_code#SGR.
      +	 */
      +
      +	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
     @@ sideband.c: static void strbuf_add_sanitized(struct strbuf *dest, const char *sr
      +			n -= i;
      +		} else {
       			strbuf_addch(dest, '^');
     - 			strbuf_addch(dest, 0x40 + *src);
     + 			strbuf_addch(dest, *src == 0x7f ? '?' : 0x40 + *src);
       		}
      
       ## t/t5409-colorize-remote-messages.sh ##
     @@ t/t5409-colorize-remote-messages.sh: test_expect_success 'fallback to color.ui'
      +	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
       	exec "$@"
       	EOF
     - 	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
     + 	test_config_global uploadPack.packObjectsHook ./color-me-surprised &&
      @@ t/t5409-colorize-remote-messages.sh: test_expect_success 'disallow (color) control sequences in sideband' '
       
       	git clone --no-local . throw-away 2>stderr &&
 -:  ---------- > 4:  fe109cd331 sideband: add options to allow more control sequences to be passed through

-- 
gitgitgadget