* stable-5.0:
Prepare 4.11.5-SNAPSHOT builds
JGit v4.11.4.
201810060650-r
Fix configuration of maven-javadoc-plugin
Prepare 4.9.7-SNAPSHOT builds
JGit v4.9.6.
201810051924-r
Prepare 4.7.6-SNAPSHOT builds
JGit v4.7.5.
201810051826-r
BaseReceivePack: Validate incoming .gitmodules files
ObjectChecker: Report .gitmodules files found in the pack
SubmoduleAddCommand: Reject submodule URIs that look like cli options
* Fix todos in SubmoduleAddTest
Change-Id: I53272081094b8948a40a1ce409af08b6ef330c1e
Signed-off-by: Jonathan Nieder <jrn@google.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
}
}
- // TODO(ms) set name to a valid value in 5.1.0 and adapt expected
- // message below
+ @Test
+ public void addSubmoduleWithInvalidPath() throws Exception {
+ SubmoduleAddCommand command = new SubmoduleAddCommand(db);
+ command.setPath("-invalid-path");
- // TODO(ms) should check for submodule path, but can't set name
- // before 5.1.0
- assertEquals("Invalid submodule name '-invalid-path'",
++ command.setName("sub");
+ command.setURI("http://example.com/repo/x.git");
+ try {
+ command.call().close();
+ fail("Exception not thrown");
+ } catch (IllegalArgumentException e) {
++ assertEquals("Invalid submodule path '-invalid-path'",
+ e.getMessage());
+ }
+ }
+
+ @Test
+ public void addSubmoduleWithInvalidUri() throws Exception {
+ SubmoduleAddCommand command = new SubmoduleAddCommand(db);
+ command.setPath("valid-path");
+ command.setURI("-upstream");
+ try {
+ command.call().close();
+ fail("Exception not thrown");
+ } catch (IllegalArgumentException e) {
+ assertEquals("Invalid submodule URL '-upstream'", e.getMessage());
+ }
+ }
+
@Test
public void addSubmoduleWithRelativeUri() throws Exception {
try (Git git = new Git(db)) {
<resource path="META-INF/MANIFEST.MF">
<filter id="924844039">
<message_arguments>
- <message_argument value="5.0.4"/>
- <message_argument value="5.0.0"/>
++ <message_argument value="5.1.2"/>
+ <message_argument value="5.1.0"/>
- <message_argument value="5.1.0"/>
- </message_arguments>
- </filter>
- <filter id="924844039">
- <message_arguments>
- <message_argument value="5.0.4"/>
- <message_argument value="5.0.0"/>
</message_arguments>
</filter>
</resource>
throw new IllegalArgumentException(JGitText.get().pathNotConfigured);
if (uri == null || uri.length() == 0)
throw new IllegalArgumentException(JGitText.get().uriNotConfigured);
+ if (name == null || name.length() == 0) {
+ // Use the path as the default.
+ name = path;
+ }
+ if (name.contains("/../") || name.contains("\\..\\") //$NON-NLS-1$ //$NON-NLS-2$
+ || name.startsWith("../") || name.startsWith("..\\") //$NON-NLS-1$ //$NON-NLS-2$
+ || name.endsWith("/..") || name.endsWith("\\..")) { //$NON-NLS-1$ //$NON-NLS-2$
+ // Submodule names are used to store the submodule repositories
+ // under $GIT_DIR/modules. Having ".." in submodule names makes a
+ // vulnerability (CVE-2018-11235
+ // https://bugs.eclipse.org/bugs/show_bug.cgi?id=535027#c0)
+ // Reject the names with them. The callers need to make sure the
+ // names free from these. We don't automatically replace these
+ // characters or canonicalize by regarding the name as a file path.
+ // Since Path class is platform dependent, we manually check '/' and
+ // '\\' patterns here.
+ throw new IllegalArgumentException(MessageFormat
+ .format(JGitText.get().invalidNameContainsDotDot, name));
+ }
- SubmoduleValidator.assertValidSubmoduleName(path);
+ try {
++ SubmoduleValidator.assertValidSubmoduleName(name);
+ SubmoduleValidator.assertValidSubmodulePath(path);
+ SubmoduleValidator.assertValidSubmoduleUri(uri);
+ } catch (SubmoduleValidator.SubmoduleValidationException e) {
+ throw new IllegalArgumentException(e.getMessage());
+ }
+
try {
if (submoduleExists())
throw new JGitInternalException(MessageFormat.format(
projects / jgit.git / commitdiff