summaryrefslogtreecommitdiff
path: root/t
diff options
context:
space:
mode:
authorLibravatar Jonathan Nieder <jrnieder@gmail.com>2019-12-05 01:30:43 -0800
committerLibravatar Johannes Schindelin <johannes.schindelin@gmx.de>2019-12-06 16:27:38 +0100
commitbb92255ebe6bccd76227e023d6d0bc997e318ad0 (patch)
treed506e15c7903457a57677942a619c07e36e0509e /t
parentSync with 2.16.6 (diff)
downloadtgif-bb92255ebe6bccd76227e023d6d0bc997e318ad0.tar.xz
fsck: reject submodule.update = !command in .gitmodules
This allows hosting providers to detect whether they are being used to attack users using malicious 'update = !command' settings in .gitmodules. Since ac1fbbda2013 (submodule: do not copy unknown update mode from .gitmodules, 2013-12-02), in normal cases such settings have been treated as 'update = none', so forbidding them should not produce any collateral damage to legitimate uses. A quick search does not reveal any repositories making use of this construct, either. Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 't')
-rwxr-xr-xt/t7406-submodule-update.sh14
1 files changed, 14 insertions, 0 deletions
diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh
index 779932457a..ceb5eed6e1 100755
--- a/t/t7406-submodule-update.sh
+++ b/t/t7406-submodule-update.sh
@@ -414,6 +414,20 @@ test_expect_success 'submodule update - command in .gitmodules is rejected' '
test_must_fail git -C super submodule update submodule
'
+test_expect_success 'fsck detects command in .gitmodules' '
+ git init command-in-gitmodules &&
+ (
+ cd command-in-gitmodules &&
+ git submodule add ../submodule submodule &&
+ test_commit adding-submodule &&
+
+ git config -f .gitmodules submodule.submodule.update "!false" &&
+ git add .gitmodules &&
+ test_commit configuring-update &&
+ test_must_fail git fsck
+ )
+'
+
cat << EOF >expect
Execution of 'false $submodulesha1' failed in submodule path 'submodule'
EOF