lunny/git-lfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
542a6f00de
git-lfs/t/t-path.sh
brian m. carlson 10c4ffc6b8
Use subprocess for invoking all commands 
The fix for CVE-2020-27955 was incomplete because we did not consider
places outside of the subprocess code that invoke binaries.  As a
result, there are still some places where an attacker can execute
arbitrary code by placing a malicious binary in the repository.

To make sure we've covered all the bases, let's just use the subprocess
code for executing all programs, which means that they'll be secure.  As
of this commit, all users of exec.Command are in test code or the
subprocess code itself.
2020-12-21 22:19:04 +00:00

62 lines
1.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
. "$(dirname "$0")/testlib.sh"
begin_test "does not look in current directory for git"
(
set -e
reponame="$(basename "$0" ".sh")"
git init "$reponame"
cd "$reponame"
export PATH="$(echo "$PATH" | sed -e "s/:.:/:/g" -e "s/::/:/g")"
printf "#!/bin/sh\necho exploit >&2\n" > git
chmod +x git || true
printf "echo exploit 1>&2\n" > git.bat
# This needs to succeed. If it fails, that could be because our malicious
# "git" is broken but got invoked anyway.
git lfs env > output.log 2>&1
! grep -q 'exploit' output.log
)
end_test
begin_test "does not look in current directory for git with credential helper"
(
set -e
reponame="$(basename "$0" ".sh")-credentials"
setup_remote_repo "$reponame"
clone_repo "$reponame" credentials-1
export PATH="$(echo "$PATH" | sed -e "s/:.:/:/g" -e "s/::/:/g")"
printf "#!/bin/sh\necho exploit >&2\ntouch exploit\n" > git
chmod +x git || true
printf "echo exploit 1>&2\r\necho >exploit" > git.bat
git lfs track "*.dat"
printf abc > z.dat
git add z.dat
git add .gitattributes
git add git git.bat
git commit -m "Add files"
git push origin HEAD
cd ..
unset GIT_ASKPASS SSH_ASKPASS
# This needs to succeed. If it fails, that could be because our malicious
# "git" is broken but got invoked anyway.
GIT_LFS_SKIP_SMUDGE=1 clone_repo "$reponame" credentials-2
git lfs pull | tee output.log
! grep -q 'exploit' output.log
[ ! -f ../exploit ]
[ ! -f exploit ]
)
end_test
Reference in New Issue View Git Blame Copy Permalink