diff options
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2024-03-26 14:37:25 +0100 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2024-04-17 22:30:04 +0200 |
| commit | e8d0608944486019ea0e1ed2ed29776811a565c2 (patch) | |
| tree | 9dec3da0e9dbd56955d0a65f07016779986c88a3 /submodule.h | |
| parent | eafffd9ad417bdf0a3c63e5276d5a18f563cd291 (diff) | |
| download | git-e8d0608944486019ea0e1ed2ed29776811a565c2.tar.gz | |
submodule: require the submodule path to contain directories only
Submodules are stored in subdirectories of their superproject. When
these subdirectories have been replaced with symlinks by a malicious
actor, all kinds of mayhem can be caused.
This _should_ not be possible, but many CVEs in the past showed that
_when_ possible, it allows attackers to slip in code that gets executed
during, say, a `git clone --recursive` operation.
Let's add some defense-in-depth to disallow submodule paths to have
anything except directories in them.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 'submodule.h')
| -rw-r--r-- | submodule.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/submodule.h b/submodule.h index b52a4ff1e7..fb770f1687 100644 --- a/submodule.h +++ b/submodule.h @@ -148,6 +148,11 @@ void submodule_name_to_gitdir(struct strbuf *buf, struct repository *r, */ int validate_submodule_git_dir(char *git_dir, const char *submodule_name); +/* + * Make sure that the given submodule path does not follow symlinks. + */ +int validate_submodule_path(const char *path); + #define SUBMODULE_MOVE_HEAD_DRY_RUN (1<<0) #define SUBMODULE_MOVE_HEAD_FORCE (1<<1) int submodule_move_head(const char *path, |