lunny/git-lfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8785a7e0a1
git-lfs/lfs/extension.go
brian m. carlson 10c4ffc6b8
Use subprocess for invoking all commands 
The fix for CVE-2020-27955 was incomplete because we did not consider
places outside of the subprocess code that invoke binaries.  As a
result, there are still some places where an attacker can execute
arbitrary code by placing a malicious binary in the repository.

To make sure we've covered all the bases, let's just use the subprocess
code for executing all programs, which means that they'll be secure.  As
of this commit, all users of exec.Command are in test code or the
subprocess code itself.
2020-12-21 22:19:04 +00:00

163 lines
3.4 KiB
Go
Raw Blame History

package lfs
import (
"bytes"
"crypto/sha256"
"encoding/hex"
"fmt"
"hash"
"io"
"os"
"strings"
"github.com/git-lfs/git-lfs/config"
"github.com/git-lfs/git-lfs/subprocess"
)
type pipeRequest struct {
action string
reader io.Reader
fileName string
extensions []config.Extension
}
type pipeResponse struct {
file *os.File
results []*pipeExtResult
}
type pipeExtResult struct {
name string
oidIn string
oidOut string
}
type extCommand struct {
cmd *subprocess.Cmd
out io.WriteCloser
err *bytes.Buffer
hasher hash.Hash
result *pipeExtResult
}
func pipeExtensions(cfg *config.Configuration, request *pipeRequest) (response pipeResponse, err error) {
var extcmds []*extCommand
defer func() {
// In the case of an early return before the end of this
// function (in response to an error, etc), kill all running
// processes. Errors are ignored since the function has already
// returned.
//
// In the happy path, the commands will have already been
// `Wait()`-ed upon and e.cmd.Process.Kill() will return an
// error, but we can ignore it.
for _, e := range extcmds {
if e.cmd.Process != nil {
e.cmd.Process.Kill()
}
}
}()
for _, e := range request.extensions {
var pieces []string
switch request.action {
case "clean":
pieces = strings.Split(e.Clean, " ")
case "smudge":
pieces = strings.Split(e.Smudge, " ")
default:
err = fmt.Errorf("Invalid action: " + request.action)
return
}
name := strings.Trim(pieces[0], " ")
var args []string
for _, value := range pieces[1:] {
arg := strings.Replace(value, "%f", request.fileName, -1)
args = append(args, arg)
}
cmd := subprocess.ExecCommand(name, args...)
ec := &extCommand{cmd: cmd, result: &pipeExtResult{name: e.Name}}
extcmds = append(extcmds, ec)
}
hasher := sha256.New()
pipeReader, pipeWriter := io.Pipe()
multiWriter := io.MultiWriter(hasher, pipeWriter)
var input io.Reader
var output io.WriteCloser
input = pipeReader
extcmds[0].cmd.Stdin = input
if response.file, err = TempFile(cfg, ""); err != nil {
return
}
defer response.file.Close()
output = response.file
last := len(extcmds) - 1
for i, ec := range extcmds {
ec.hasher = sha256.New()
if i == last {
ec.cmd.Stdout = io.MultiWriter(ec.hasher, output)
ec.out = output
continue
}
nextec := extcmds[i+1]
var nextStdin io.WriteCloser
var stdout io.ReadCloser
if nextStdin, err = nextec.cmd.StdinPipe(); err != nil {
return
}
if stdout, err = ec.cmd.StdoutPipe(); err != nil {
return
}
ec.cmd.Stdin = input
ec.cmd.Stdout = io.MultiWriter(ec.hasher, nextStdin)
ec.out = nextStdin
input = stdout
var errBuff bytes.Buffer
ec.err = &errBuff
ec.cmd.Stderr = ec.err
}
for _, ec := range extcmds {
if err = ec.cmd.Start(); err != nil {
return
}
}
if _, err = io.Copy(multiWriter, request.reader); err != nil {
return
}
if err = pipeWriter.Close(); err != nil {
return
}
for _, ec := range extcmds {
if err = ec.cmd.Wait(); err != nil {
if ec.err != nil {
errStr := ec.err.String()
err = fmt.Errorf("extension '%s' failed with: %s", ec.result.name, errStr)
}
return
}
if err = ec.out.Close(); err != nil {
return
}
}
oid := hex.EncodeToString(hasher.Sum(nil))
for _, ec := range extcmds {
ec.result.oidIn = oid
oid = hex.EncodeToString(ec.hasher.Sum(nil))
ec.result.oidOut = oid
response.results = append(response.results, ec.result)
}
return
}
Reference in New Issue View Git Blame Copy Permalink