diff options
| author |  Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-10-03 20:44:34 +0200 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-12-04 13:23:22 +0100 |
| commit | a7b1ad3b05fd1dc03c3de12ea4f2d8118ad24e2c (patch) | |
| tree | 9603df337bf43eec5d4998d44f5c3293661950d2 /t | |
| parent | Git 2.14.5 (diff) | |
| parent | fast-import: disallow "feature import-marks" by default (diff) | |
| download | tgif-a7b1ad3b05fd1dc03c3de12ea4f2d8118ad24e2c.tar.xz | |
Merge branch 'jk/fast-import-unsafe'
The `--export-marks` option of `git fast-import` is exposed also via the
in-stream command `feature export-marks=...` and it allows overwriting
arbitrary paths.
This topic branch prevents the in-stream version, to prevent arbitrary
file accesses by `git fast-import` streams coming from untrusted sources
(e.g. in remote helpers that are based on `git fast-import`).
This fixes CVE-2019-1348.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 't')
| -rwxr-xr-x | t/t9300-fast-import.sh | 58 |
1 files changed, 44 insertions, 14 deletions
diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh index d47560b634..77104f9daa 100755 --- a/t/t9300-fast-import.sh +++ b/t/t9300-fast-import.sh @@ -2106,12 +2106,27 @@ test_expect_success 'R: abort on receiving feature after data command' ' test_must_fail git fast-import <input ' +test_expect_success 'R: import-marks features forbidden by default' ' + >git.marks && + echo "feature import-marks=git.marks" >input && + test_must_fail git fast-import <input && + echo "feature import-marks-if-exists=git.marks" >input && + test_must_fail git fast-import <input +' + test_expect_success 'R: only one import-marks feature allowed per stream' ' + >git.marks && + >git2.marks && cat >input <<-EOF && feature import-marks=git.marks feature import-marks=git2.marks EOF + test_must_fail git fast-import --allow-unsafe-features <input +' + +test_expect_success 'R: export-marks feature forbidden by default' ' + echo "feature export-marks=git.marks" >input && test_must_fail git fast-import <input ' @@ -2125,19 +2140,29 @@ test_expect_success 'R: export-marks feature results in a marks file being creat EOF - cat input | git fast-import && + git fast-import --allow-unsafe-features <input && grep :1 git.marks ' test_expect_success 'R: export-marks options can be overridden by commandline options' ' - cat input | git fast-import --export-marks=other.marks && - grep :1 other.marks + cat >input <<-\EOF && + feature export-marks=feature-sub/git.marks + blob + mark :1 + data 3 + hi + + EOF + git fast-import --allow-unsafe-features \ + --export-marks=cmdline-sub/other.marks <input && + grep :1 cmdline-sub/other.marks && + test_path_is_missing feature-sub ' test_expect_success 'R: catch typo in marks file name' ' test_must_fail git fast-import --import-marks=nonexistent.marks </dev/null && echo "feature import-marks=nonexistent.marks" | - test_must_fail git fast-import + test_must_fail git fast-import --allow-unsafe-features ' test_expect_success 'R: import and output marks can be the same file' ' @@ -2193,7 +2218,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' rm -f io.marks && >expect && - git fast-import --export-marks=io.marks <<-\EOF && + git fast-import --export-marks=io.marks \ + --allow-unsafe-features <<-\EOF && feature import-marks-if-exists=not_io.marks EOF test_cmp expect io.marks && @@ -2204,7 +2230,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' echo ":1 $blob" >expect && echo ":2 $blob" >>expect && - git fast-import --export-marks=io.marks <<-\EOF && + git fast-import --export-marks=io.marks \ + --allow-unsafe-features <<-\EOF && feature import-marks-if-exists=io.marks blob mark :2 @@ -2217,7 +2244,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' echo ":3 $blob" >>expect && git fast-import --import-marks=io.marks \ - --export-marks=io.marks <<-\EOF && + --export-marks=io.marks \ + --allow-unsafe-features <<-\EOF && feature import-marks-if-exists=not_io.marks blob mark :3 @@ -2230,7 +2258,8 @@ test_expect_success 'R: feature import-marks-if-exists' ' >expect && git fast-import --import-marks-if-exists=not_io.marks \ - --export-marks=io.marks <<-\EOF && + --export-marks=io.marks \ + --allow-unsafe-features <<-\EOF && feature import-marks-if-exists=io.marks EOF test_cmp expect io.marks @@ -2242,7 +2271,7 @@ test_expect_success 'R: import to output marks works without any content' ' feature export-marks=marks.new EOF - cat input | git fast-import && + git fast-import --allow-unsafe-features <input && test_cmp marks.out marks.new ' @@ -2252,7 +2281,7 @@ test_expect_success 'R: import marks prefers commandline marks file over the str feature export-marks=marks.new EOF - cat input | git fast-import --import-marks=marks.out && + git fast-import --import-marks=marks.out --allow-unsafe-features <input && test_cmp marks.out marks.new ' @@ -2265,7 +2294,8 @@ test_expect_success 'R: multiple --import-marks= should be honoured' ' head -n2 marks.out > one.marks && tail -n +3 marks.out > two.marks && - git fast-import --import-marks=one.marks --import-marks=two.marks <input && + git fast-import --import-marks=one.marks --import-marks=two.marks \ + --allow-unsafe-features <input && test_cmp marks.out combined.marks ' @@ -2278,7 +2308,7 @@ test_expect_success 'R: feature relative-marks should be honoured' ' mkdir -p .git/info/fast-import/ && cp marks.new .git/info/fast-import/relative.in && - git fast-import <input && + git fast-import --allow-unsafe-features <input && test_cmp marks.new .git/info/fast-import/relative.out ' @@ -2290,7 +2320,7 @@ test_expect_success 'R: feature no-relative-marks should be honoured' ' feature export-marks=non-relative.out EOF - git fast-import <input && + git fast-import --allow-unsafe-features <input && test_cmp marks.new non-relative.out ' @@ -2560,7 +2590,7 @@ test_expect_success 'R: quiet option results in no stats being output' ' EOF - cat input | git fast-import 2> output && + git fast-import 2>output <input && test_must_be_empty output ' |