lunny/git-lfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
542a6f00de
git-lfs/t/t-path.sh

62 lines
1.5 KiB
Bash
Raw Normal View History

subprocess: avoid using relative program names When Go runs a program with os.exec, it uses the LookPath function to look up the path name if the path does not contain a path separator. On Unix, this provides the standard Unix semantics by looking in PATH. However, on Windows, it also looks in the current directory as well to emulate the behavior of CMD. Unfortunately, this is a well-known security flaw on Windows and similar behavior there is the source for several whole classes of security vulnerabilities. This leads to an untrusted repository being able to create a git.bat file that gets executed in preference to our trusted path for the git binary. Since we don't want to rely on Go fixing this behavior, let's import some code from Go to provide the Unix semantics for LookPath, which are secure if the user hasn't put the current directory in PATH. That should provide secure behavior in this case. Fortunately, our code goes through one particular place to run all commands, so this is a relatively simple fix. Update the various copyright and license files to reflect our imported code.
2020-10-28 14:27:33 +00:00
#!/usr/bin/env bash
. "$(dirname "$0")/testlib.sh"
begin_test "does not look in current directory for git"
(
set -e
reponame="$(basename "$0" ".sh")"
git init "$reponame"
cd "$reponame"
export PATH="$(echo "$PATH" | sed -e "s/:.:/:/g" -e "s/::/:/g")"
printf "#!/bin/sh\necho exploit >&2\n" > git
chmod +x git || true
printf "echo exploit 1>&2\n" > git.bat
# This needs to succeed. If it fails, that could be because our malicious
# "git" is broken but got invoked anyway.
git lfs env > output.log 2>&1
! grep -q 'exploit' output.log
)
end_test
Use subprocess for invoking all commands The fix for CVE-2020-27955 was incomplete because we did not consider places outside of the subprocess code that invoke binaries. As a result, there are still some places where an attacker can execute arbitrary code by placing a malicious binary in the repository. To make sure we've covered all the bases, let's just use the subprocess code for executing all programs, which means that they'll be secure. As of this commit, all users of exec.Command are in test code or the subprocess code itself.
2020-12-21 21:08:17 +00:00
begin_test "does not look in current directory for git with credential helper"
(
set -e
reponame="$(basename "$0" ".sh")-credentials"
setup_remote_repo "$reponame"
clone_repo "$reponame" credentials-1
export PATH="$(echo "$PATH" | sed -e "s/:.:/:/g" -e "s/::/:/g")"
printf "#!/bin/sh\necho exploit >&2\ntouch exploit\n" > git
chmod +x git || true
printf "echo exploit 1>&2\r\necho >exploit" > git.bat
git lfs track "*.dat"
printf abc > z.dat
git add z.dat
git add .gitattributes
git add git git.bat
git commit -m "Add files"
git push origin HEAD
cd ..
unset GIT_ASKPASS SSH_ASKPASS
# This needs to succeed. If it fails, that could be because our malicious
# "git" is broken but got invoked anyway.
GIT_LFS_SKIP_SMUDGE=1 clone_repo "$reponame" credentials-2
git lfs pull | tee output.log
! grep -q 'exploit' output.log
[ ! -f ../exploit ]
[ ! -f exploit ]
)
end_test
Reference in New Issue Copy Permalink