Mercurial > hg
comparison tests/test-subrepo-git.t @ 28658:34d43cb85de8 stable
subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)
CVE-2016-3068 (1/1)
Git's git-remote-ext remote helper provides an ext:: URL scheme that
allows running arbitrary shell commands. This feature allows
implementing simple git smart transports with a single shell shell
command. However, git submodules could clone arbitrary URLs specified
in the .gitmodules file. This was reported as CVE-2015-7545 and fixed
in git v2.6.1.
However, if a user directly clones a malicious ext URL, the git client
will still run arbitrary shell commands.
Mercurial is similarly effected. Mercurial allows specifying git
repositories as subrepositories. Git ext:: URLs can be specified as
Mercurial subrepositories allowing arbitrary shell commands to be run
on `hg clone ...`.
The Mercurial community would like to thank Blake Burkhart for
reporting this issue. The description of the issue is copied from
Blake's report.
This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env
variable to git commands with the same list of allowed protocols that
git submodule is using.
When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it
to git without modifications.
| author | Mateusz Kwapich <mitrandir@fb.com> |
|---|---|
| date | Sun, 20 Mar 2016 21:52:21 -0700 |
| parents | b54b520a24c2 |
| children | ff0d3b6b287f |
comparison
equal
deleted
inserted
replaced
| 28657:b9714d958e89 | 28658:34d43cb85de8 |
|---|---|
| 1130 ? s/c.c | 1130 ? s/c.c |
| 1131 ? s/cpp.cpp | 1131 ? s/cpp.cpp |
| 1132 ? s/foobar.orig | 1132 ? s/foobar.orig |
| 1133 ? s/snake.python.orig | 1133 ? s/snake.python.orig |
| 1134 | 1134 |
| 1135 $ cd .. | 1135 test for Git CVE-2016-3068 |
| 1136 $ hg init malicious-subrepository | |
| 1137 $ cd malicious-subrepository | |
| 1138 $ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub | |
| 1139 $ git init s | |
| 1140 Initialized empty Git repository in $TESTTMP/tc/malicious-subrepository/s/.git/ | |
| 1141 $ cd s | |
| 1142 $ git commit --allow-empty -m 'empty' | |
| 1143 [master (root-commit) 153f934] empty | |
| 1144 $ cd .. | |
| 1145 $ hg add .hgsub | |
| 1146 $ hg commit -m "add subrepo" | |
| 1147 $ cd .. | |
| 1148 $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected | |
| 1149 Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'... | |
| 1150 fatal: transport 'ext' not allowed | |
| 1151 updating to branch default | |
| 1152 cloning subrepo s from ext::sh -c echo% pwned% >&2 | |
| 1153 abort: git clone error 128 in s (in subrepo s) | |
| 1154 [255] | |
| 1155 | |
| 1156 whitelisting of ext should be respected (that's the git submodule behaviour) | |
| 1157 $ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed | |
| 1158 Cloning into '$TESTTMP/tc/malicious-subrepository-clone-allowed/s'... | |
| 1159 pwned | |
| 1160 fatal: Could not read from remote repository. | |
| 1161 | |
| 1162 Please make sure you have the correct access rights | |
| 1163 and the repository exists. | |
| 1164 updating to branch default | |
| 1165 cloning subrepo s from ext::sh -c echo% pwned% >&2 | |
| 1166 abort: git clone error 128 in s (in subrepo s) | |
| 1167 [255] |