In C git versions before 2.19.1, the submodule is fetched by running "git clone <uri> <path>". A URI starting with "-" would be interpreted as an option, causing security problems. See CVE-2018-17456. Refuse to add submodules with URIs, names or paths starting with "-", that could be confused with command line arguments. [jn: backported to JGit 4.7.y, bringing portions of Masaya Suzuki's dotdot check code in v5.1.0.201808281540-m3~57 (Add API to specify the submodule name, 2018-07-12) along for the ride] Change-Id: I2607c3acc480b75ab2b13386fe2cac435839f017 Signed-off-by: Ivan Frade <ifrade@google.com> Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>tags/v4.7.5.201810051826-r
@@ -182,6 +182,37 @@ public class SubmoduleAddTest extends RepositoryTestCase { | |||
} | |||
} | |||
@Test | |||
public void addSubmoduleWithInvalidPath() throws Exception { | |||
SubmoduleAddCommand command = new SubmoduleAddCommand(db); | |||
command.setPath("-invalid-path"); | |||
// TODO(ms) set name to a valid value in 5.1.0 and adapt expected | |||
// message below | |||
command.setURI("http://example.com/repo/x.git"); | |||
try { | |||
command.call().close(); | |||
fail("Exception not thrown"); | |||
} catch (IllegalArgumentException e) { | |||
// TODO(ms) should check for submodule path, but can't set name | |||
// before 5.1.0 | |||
assertEquals("Invalid submodule name '-invalid-path'", | |||
e.getMessage()); | |||
} | |||
} | |||
@Test | |||
public void addSubmoduleWithInvalidUri() throws Exception { | |||
SubmoduleAddCommand command = new SubmoduleAddCommand(db); | |||
command.setPath("valid-path"); | |||
command.setURI("-upstream"); | |||
try { | |||
command.call().close(); | |||
fail("Exception not thrown"); | |||
} catch (IllegalArgumentException e) { | |||
assertEquals("Invalid submodule URL '-upstream'", e.getMessage()); | |||
} | |||
} | |||
@Test | |||
public void addSubmoduleWithRelativeUri() throws Exception { | |||
try (Git git = new Git(db)) { | |||
@@ -269,4 +300,4 @@ public class SubmoduleAddTest extends RepositoryTestCase { | |||
ConfigConstants.CONFIG_KEY_URL)); | |||
} | |||
} | |||
} | |||
} |
@@ -3,7 +3,7 @@ | |||
<resource path="META-INF/MANIFEST.MF"> | |||
<filter id="924844039"> | |||
<message_arguments> | |||
<message_argument value="4.7.4"/> | |||
<message_argument value="4.7.5"/> | |||
<message_argument value="4.7.0"/> | |||
</message_arguments> | |||
</filter> |
@@ -358,6 +358,7 @@ invalidKey=Invalid key: {0} | |||
invalidLineInConfigFile=Invalid line in config file | |||
invalidModeFor=Invalid mode {0} for {1} {2} in {3}. | |||
invalidModeForPath=Invalid mode {0} for path {1} | |||
invalidNameContainsDotDot=Invalid name (contains ".."): {0} | |||
invalidObject=Invalid {0} {1}: {2} | |||
invalidOldIdSent=invalid old id sent | |||
invalidPacketLineHeader=Invalid packet line header: {0} | |||
@@ -605,7 +606,10 @@ storePushCertMultipleRefs=Store push certificate for {0} refs | |||
storePushCertOneRef=Store push certificate for {0} | |||
storePushCertReflog=Store push certificate | |||
submoduleExists=Submodule ''{0}'' already exists in the index | |||
submoduleNameInvalid=Invalid submodule name ''{0}'' | |||
submoduleParentRemoteUrlInvalid=Cannot remove segment from remote url ''{0}'' | |||
submodulePathInvalid=Invalid submodule path ''{0}'' | |||
submoduleUrlInvalid=Invalid submodule URL ''{0}'' | |||
submodulesNotSupported=Submodules are not supported | |||
supportOnlyPackIndexVersion2=Only support index version 2 | |||
symlinkCannotBeWrittenAsTheLinkTarget=Symlink "{0}" cannot be written as the link target cannot be read from within Java. |
@@ -51,6 +51,7 @@ import org.eclipse.jgit.api.errors.JGitInternalException; | |||
import org.eclipse.jgit.api.errors.NoFilepatternException; | |||
import org.eclipse.jgit.errors.ConfigInvalidException; | |||
import org.eclipse.jgit.internal.JGitText; | |||
import org.eclipse.jgit.internal.submodule.SubmoduleValidator; | |||
import org.eclipse.jgit.lib.ConfigConstants; | |||
import org.eclipse.jgit.lib.Constants; | |||
import org.eclipse.jgit.lib.NullProgressMonitor; | |||
@@ -157,6 +158,14 @@ public class SubmoduleAddCommand extends | |||
if (uri == null || uri.length() == 0) | |||
throw new IllegalArgumentException(JGitText.get().uriNotConfigured); | |||
try { | |||
SubmoduleValidator.assertValidSubmoduleName(path); | |||
SubmoduleValidator.assertValidSubmodulePath(path); | |||
SubmoduleValidator.assertValidSubmoduleUri(uri); | |||
} catch (SubmoduleValidator.SubmoduleValidationException e) { | |||
throw new IllegalArgumentException(e.getMessage()); | |||
} | |||
try { | |||
if (submoduleExists()) | |||
throw new JGitInternalException(MessageFormat.format( |
@@ -417,6 +417,7 @@ public class JGitText extends TranslationBundle { | |||
/***/ public String invalidLineInConfigFile; | |||
/***/ public String invalidModeFor; | |||
/***/ public String invalidModeForPath; | |||
/***/ public String invalidNameContainsDotDot; | |||
/***/ public String invalidObject; | |||
/***/ public String invalidOldIdSent; | |||
/***/ public String invalidPacketLineHeader; | |||
@@ -664,8 +665,11 @@ public class JGitText extends TranslationBundle { | |||
/***/ public String storePushCertOneRef; | |||
/***/ public String storePushCertReflog; | |||
/***/ public String submoduleExists; | |||
/***/ public String submodulesNotSupported; | |||
/***/ public String submoduleNameInvalid; | |||
/***/ public String submoduleParentRemoteUrlInvalid; | |||
/***/ public String submodulePathInvalid; | |||
/***/ public String submodulesNotSupported; | |||
/***/ public String submoduleUrlInvalid; | |||
/***/ public String supportOnlyPackIndexVersion2; | |||
/***/ public String symlinkCannotBeWrittenAsTheLinkTarget; | |||
/***/ public String systemConfigFileInvalid; |
@@ -0,0 +1,141 @@ | |||
/* | |||
* Copyright (C) 2018, Google LLC. | |||
* and other copyright owners as documented in the project's IP log. | |||
* | |||
* This program and the accompanying materials are made available | |||
* under the terms of the Eclipse Distribution License v1.0 which | |||
* accompanies this distribution, is reproduced below, and is | |||
* available at http://www.eclipse.org/org/documents/edl-v10.php | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or | |||
* without modification, are permitted provided that the following | |||
* conditions are met: | |||
* | |||
* - Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* - Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* - Neither the name of the Eclipse Foundation, Inc. nor the | |||
* names of its contributors may be used to endorse or promote | |||
* products derived from this software without specific prior | |||
* written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND | |||
* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, | |||
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR | |||
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |||
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF | |||
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*/ | |||
package org.eclipse.jgit.internal.submodule; | |||
import java.text.MessageFormat; | |||
import org.eclipse.jgit.internal.JGitText; | |||
/** | |||
* Validations for the git submodule fields (name, path, uri). | |||
* | |||
* Invalid values in these fields can cause security problems as reported in | |||
* CVE-2018-11235 and and CVE-2018-17456 | |||
*/ | |||
public class SubmoduleValidator { | |||
/** | |||
* Error validating a git submodule declaration | |||
*/ | |||
public static class SubmoduleValidationException extends Exception { | |||
/** | |||
* @param message | |||
* Description of the problem | |||
*/ | |||
public SubmoduleValidationException(String message) { | |||
super(message); | |||
} | |||
private static final long serialVersionUID = 1L; | |||
} | |||
/** | |||
* Validate name for a submodule | |||
* | |||
* @param name | |||
* name of a submodule | |||
* @throws SubmoduleValidationException | |||
* name doesn't seem valid (detail in message) | |||
*/ | |||
public static void assertValidSubmoduleName(String name) | |||
throws SubmoduleValidationException { | |||
if (name.contains("/../") || name.contains("\\..\\") //$NON-NLS-1$ //$NON-NLS-2$ | |||
|| name.startsWith("../") || name.startsWith("..\\") //$NON-NLS-1$ //$NON-NLS-2$ | |||
|| name.endsWith("/..") || name.endsWith("\\..")) { //$NON-NLS-1$ //$NON-NLS-2$ | |||
// Submodule names are used to store the submodule repositories | |||
// under $GIT_DIR/modules. Having ".." in submodule names makes a | |||
// vulnerability (CVE-2018-11235 | |||
// https://bugs.eclipse.org/bugs/show_bug.cgi?id=535027#c0) | |||
// Reject names containing ".." path segments. We don't | |||
// automatically replace these characters or canonicalize by | |||
// regarding the name as a file path. | |||
// Since Path class is platform dependent, we manually check '/' and | |||
// '\\' patterns here. | |||
throw new SubmoduleValidationException(MessageFormat | |||
.format(JGitText.get().invalidNameContainsDotDot, name)); | |||
} | |||
if (name.startsWith("-")) { //$NON-NLS-1$ | |||
throw new SubmoduleValidationException( | |||
MessageFormat.format( | |||
JGitText.get().submoduleNameInvalid, name)); | |||
} | |||
} | |||
/** | |||
* Validate URI for a submodule | |||
* | |||
* @param uri | |||
* uri of a submodule | |||
* @throws SubmoduleValidationException | |||
* uri doesn't seem valid | |||
*/ | |||
public static void assertValidSubmoduleUri(String uri) | |||
throws SubmoduleValidationException { | |||
if (uri.startsWith("-")) { //$NON-NLS-1$ | |||
throw new SubmoduleValidationException( | |||
MessageFormat.format( | |||
JGitText.get().submoduleUrlInvalid, uri)); | |||
} | |||
} | |||
/** | |||
* Validate path for a submodule | |||
* | |||
* @param path | |||
* path of a submodule | |||
* @throws SubmoduleValidationException | |||
* path doesn't look right | |||
*/ | |||
public static void assertValidSubmodulePath(String path) | |||
throws SubmoduleValidationException { | |||
if (path.startsWith("-")) { //$NON-NLS-1$ | |||
throw new SubmoduleValidationException( | |||
MessageFormat.format( | |||
JGitText.get().submodulePathInvalid, path)); | |||
} | |||
} | |||
} |