Mercurial > hg
changeset 41457:6c10eba6b9cd stable
subrepo: prohibit variable expansion on creation of hg subrepo (SEC)
It's probably wrong to expand path at localrepo.*repository() layer, but
fixing the layering issue would require careful inspection of call paths.
So, this patch adds add a validation to the subrepo constructor.
os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Tue, 08 Jan 2019 22:07:45 +0900 |
parents | 31286c9282df |
children | 83377b4b4ae0 |
files | mercurial/subrepo.py tests/test-audit-subrepo.t |
diffstat | 2 files changed, 69 insertions(+), 36 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/subrepo.py Tue Jan 08 21:51:54 2019 +0900 +++ b/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900 @@ -403,7 +403,16 @@ r = ctx.repo() root = r.wjoin(path) create = allowcreate and not r.wvfs.exists('%s/.hg' % path) + # repository constructor does expand variables in path, which is + # unsafe since subrepo path might come from untrusted source. + if os.path.realpath(util.expandpath(root)) != root: + raise error.Abort(_('subrepo path contains illegal component: %s') + % path) self._repo = hg.repository(r.baseui, root, create=create) + if self._repo.root != root: + raise error.ProgrammingError('failed to reject unsafe subrepo ' + 'path: %s (expanded to %s)' + % (root, self._repo.root)) # Propagate the parent's --hidden option if r is r.unfiltered():
--- a/tests/test-audit-subrepo.t Tue Jan 08 21:51:54 2019 +0900 +++ b/tests/test-audit-subrepo.t Tue Jan 08 22:07:45 2019 +0900 @@ -151,20 +151,37 @@ ----------------- on commit: -BROKEN: should fail $ hg init currentpath $ cd currentpath $ hg init sub $ echo '. = sub' >> .hgsub $ hg ci -qAm 'add subrepo "."' + abort: subrepo path contains illegal component: . + [255] + +prepare tampered repo (including the commit above): + + $ hg import --bypass -qm 'add subrepo "."' - <<'EOF' + > diff --git a/.hgsub b/.hgsub + > new file mode 100644 + > --- /dev/null + > +++ b/.hgsub + > @@ -0,0 +1,1 @@ + > +.= sub + > diff --git a/.hgsubstate b/.hgsubstate + > new file mode 100644 + > --- /dev/null + > +++ b/.hgsubstate + > @@ -0,0 +1,1 @@ + > +0000000000000000000000000000000000000000 . + > EOF $ cd .. on clone (and update): - $ hg clone -q currentpath currentpath2 --config ui.timeout=1 - waiting for lock on working directory of $TESTTMP/currentpath2/. * (glob) - abort: working directory of $TESTTMP/currentpath2/.: timed out waiting for lock held by '*' (glob) + $ hg clone -q currentpath currentpath2 + abort: subrepo path contains illegal component: . [255] Test outer path @@ -214,7 +231,6 @@ properly. Any local repository paths are expanded. on commit: -BROKEN: wrong error message $ mkdir envvar $ cd envvar @@ -230,7 +246,7 @@ 39eb4b4d3e096527668784893a9280578a8f38b8 $ echo '$SUB = sub1' >> .hgsub $ SUB=sub1 hg ci -qAm 'add subrepo "$SUB"' - abort: repository $TESTTMP/envvar/main/$SUB already exists! + abort: subrepo path contains illegal component: $SUB [255] prepare tampered repo (including the changes above as two commits): @@ -267,20 +283,23 @@ $SUB $ SUB=sub1 hg clone -q main main3 + abort: subrepo path contains illegal component: $SUB + [255] $ ls main3 - sub1 $ SUB=sub2 hg clone -q main main4 + abort: subrepo path contains illegal component: $SUB + [255] $ ls main4 - sub2 on clone empty subrepo into .hg, then pull (and update), which at least fails: -BROKEN: the first clone should fail $ SUB=.hg hg clone -qr0 main main5 + abort: subrepo path contains illegal component: $SUB + [255] $ ls main5 - $ ls -d main5/.hg/.hg - main5/.hg/.hg + $ test -d main5/.hg/.hg + [1] $ SUB=.hg hg -R main5 pull -u pulling from $TESTTMP/envvar/main searching for changes @@ -289,7 +308,8 @@ adding file changes added 1 changesets with 1 changes to 1 files new changesets 7a2f0e59146f - abort: repository $TESTTMP/envvar/main5/$SUB already exists! + .hgsubstate: untracked file differs + abort: untracked files in working directory differ from files in requested revision [255] $ cat main5/.hg/hgrc | grep pwned [1] @@ -297,32 +317,36 @@ on clone (and update) into .hg, which at least fails: $ SUB=.hg hg clone -q main main6 - abort: destination '$TESTTMP/envvar/main6/.hg' is not empty (in subrepository ".hg") + abort: subrepo path contains illegal component: $SUB [255] $ ls main6 $ cat main6/.hg/hgrc | grep pwned [1] on clone (and update) into .hg/* subdir: -BROKEN: should fail $ SUB=.hg/foo hg clone -q main main7 + abort: subrepo path contains illegal component: $SUB + [255] $ ls main7 - $ ls main7/.hg/foo - hgrc + $ test -d main7/.hg/.hg + [1] on clone (and update) into outer tree: -BROKEN: should fail $ SUB=../out-of-tree-write hg clone -q main main8 + abort: subrepo path contains illegal component: $SUB + [255] $ ls main8 on clone (and update) into e.g. $HOME, which doesn't work since subrepo paths are concatenated prior to variable expansion: $ SUB="$TESTTMP/envvar/fakehome" hg clone -q main main9 + abort: subrepo path contains illegal component: $SUB + [255] $ ls main9 | wc -l - \s*1 (re) + \s*0 (re) $ ls main @@ -334,7 +358,6 @@ main7 main8 main9 - out-of-tree-write $ cd .. Test tilde @@ -463,7 +486,6 @@ $ FAKEHOME="$TESTTMP/envvarsym/fakehome" on commit: -BROKEN: wrong error message $ mkdir envvarsym $ cd envvarsym @@ -479,7 +501,7 @@ f40c9134ba1b6961e12f250868823f0092fb68a8 $ echo '$SUB = sub1' >> .hgsub $ SUB="$FAKEHOME" hg ci -qAm 'add subrepo "$SUB"' - abort: repository $TESTTMP/envvarsym/main/$SUB already exists! + abort: subrepo path contains illegal component: $SUB [255] prepare tampered repo (including the changes above as two commits): @@ -510,46 +532,47 @@ $ cd .. on clone (and update) without fakehome directory: -BROKEN: should fail $ rm -fR "$FAKEHOME" $ SUB="$FAKEHOME" hg clone -q main main2 - $ ls "$FAKEHOME" - pwned + abort: subrepo path contains illegal component: $SUB + [255] + $ test -d "$FAKEHOME" + [1] on clone (and update) with empty fakehome directory: -BROKEN: should fail $ rm -fR "$FAKEHOME" $ mkdir "$FAKEHOME" $ SUB="$FAKEHOME" hg clone -q main main3 + abort: subrepo path contains illegal component: $SUB + [255] $ ls "$FAKEHOME" - pwned on clone (and update) with non-empty fakehome directory: -BROKEN: wrong error message $ rm -fR "$FAKEHOME" $ mkdir "$FAKEHOME" $ touch "$FAKEHOME/a" $ SUB="$FAKEHOME" hg clone -q main main4 - abort: destination '$TESTTMP/envvarsym/fakehome' is not empty (in subrepository "*") (glob) + abort: subrepo path contains illegal component: $SUB [255] $ ls "$FAKEHOME" a on clone empty subrepo with non-empty fakehome directory, then pull (and update): -BROKEN: the first clone should fail $ rm -fR "$FAKEHOME" $ mkdir "$FAKEHOME" $ touch "$FAKEHOME/a" $ SUB="$FAKEHOME" hg clone -qr1 main main5 + abort: subrepo path contains illegal component: $SUB + [255] $ ls "$FAKEHOME" a - $ ls -d "$FAKEHOME/.hg" - $TESTTMP/envvarsym/fakehome/.hg + $ test -d "$FAKEHOME/.hg" + [1] $ SUB="$FAKEHOME" hg -R main5 pull -u pulling from $TESTTMP/envvarsym/main searching for changes @@ -558,21 +581,23 @@ adding file changes added 1 changesets with 1 changes to 1 files new changesets * (glob) - abort: repository $TESTTMP/envvarsym/main5/$SUB already exists! + .hgsubstate: untracked file differs + abort: untracked files in working directory differ from files in requested revision [255] $ ls "$FAKEHOME" a + $ test -d "$FAKEHOME/.hg" + [1] on clone empty subrepo with hg-managed fakehome directory, then pull (and update): -BROKEN: wrong error message $ rm -fR "$FAKEHOME" $ hg init "$FAKEHOME" $ touch "$FAKEHOME/a" $ hg -R "$FAKEHOME" ci -qAm 'add fakehome file' $ SUB="$FAKEHOME" hg clone -qr1 main main6 - abort: repository $TESTTMP/envvarsym/main6/$SUB already exists! + abort: subrepo path contains illegal component: $SUB [255] $ ls "$FAKEHOME" a @@ -592,7 +617,6 @@ on clone only symlink with hg-managed fakehome directory, then pull (and update): -BROKEN: wrong error message $ rm -fR "$FAKEHOME" $ hg init "$FAKEHOME" @@ -609,7 +633,7 @@ adding file changes added 2 changesets with 3 changes to 2 files new changesets * (glob) - abort: repository $TESTTMP/envvarsym/main7/$SUB already exists! + abort: subrepo path contains illegal component: $SUB [255] $ ls "$FAKEHOME" a