Merge branch 'defense-in-depth'

This topic branch adds a couple of measures designed to make it much harder to exploit any bugs in Git's recursive clone machinery that might be found in the future. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
author: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-03-31 00:22:41 +0100
committer: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-04-19 12:38:29 +0200
commit: 2b3d38a6b12ffc949c98eaacd67e8e383c847529 (patch)
tree: b8c29bc2c4fdf4a1bcf34a1acdde2e429168724c /t
parent: 86cb6a3f059968d031fdf6ed49ab38a7ae00847f (diff)
parent: a33fea0886cfa016d313d2bd66bdd08615bffbc9 (diff)
download: git-2b3d38a6b12ffc949c98eaacd67e8e383c847529.tar.gz
8 files changed, 226 insertions, 2 deletions
diff --git a/t/helper/test-path-utils.c b/t/helper/test-path-utils.c
index f69709d674..0e0de21807 100644
--- a/t/helper/test-path-utils.c
+++ b/t/helper/test-path-utils.c
@@ -495,6 +495,16 @@ int cmd__path_utils(int argc, const char **argv)
 		return !!res;
 	}
 
+	if (argc == 4 && !strcmp(argv[1], "do_files_match")) {
+		int ret = do_files_match(argv[2], argv[3]);
+
+		if (ret)
+			printf("equal\n");
+		else
+			printf("different\n");
+		return !ret;
+	}
+
 	fprintf(stderr, "%s: unknown function name: %s\n", argv[0],
 		argv[1] ? argv[1] : "(there was none)");
 	return 1;
diff --git a/t/t0060-path-utils.sh b/t/t0060-path-utils.sh
index 68e29c904a..73d0e1a7f1 100755
--- a/t/t0060-path-utils.sh
+++ b/t/t0060-path-utils.sh
@@ -560,4 +560,45 @@ test_expect_success !VALGRIND,RUNTIME_PREFIX,CAN_EXEC_IN_PWD '%(prefix)/ works'
 	test_cmp expect actual
 '
 
+test_expect_success 'do_files_match()' '
+	test_seq 0 10 >0-10.txt &&
+	test_seq -1 10 >-1-10.txt &&
+	test_seq 1 10 >1-10.txt &&
+	test_seq 1 9 >1-9.txt &&
+	test_seq 0 8 >0-8.txt &&
+
+	test-tool path-utils do_files_match 0-10.txt 0-10.txt >out &&
+
+	assert_fails() {
+		test_must_fail \
+		test-tool path-utils do_files_match "$1" "$2" >out &&
+		grep different out
+	} &&
+
+	assert_fails 0-8.txt 1-9.txt &&
+	assert_fails -1-10.txt 0-10.txt &&
+	assert_fails 1-10.txt 1-9.txt &&
+	assert_fails 1-10.txt .git &&
+	assert_fails does-not-exist 1-10.txt &&
+
+	if test_have_prereq FILEMODE
+	then
+		cp 0-10.txt 0-10.x &&
+		chmod a+x 0-10.x &&
+		assert_fails 0-10.txt 0-10.x
+	fi &&
+
+	if test_have_prereq SYMLINKS
+	then
+		ln -sf 0-10.txt symlink &&
+		ln -s 0-10.txt another-symlink &&
+		ln -s over-the-ocean yet-another-symlink &&
+		ln -s "$PWD/0-10.txt" absolute-symlink &&
+		assert_fails 0-10.txt symlink &&
+		test-tool path-utils do_files_match symlink another-symlink &&
+		assert_fails symlink yet-another-symlink &&
+		assert_fails symlink absolute-symlink
+	fi
+'
+
 test_done
diff --git a/t/t1450-fsck.sh b/t/t1450-fsck.sh
index de0f6d5e7f..5669872bc8 100755
--- a/t/t1450-fsck.sh
+++ b/t/t1450-fsck.sh
@@ -1023,4 +1023,41 @@ test_expect_success 'fsck error on gitattributes with excessive size' '
 	test_cmp expected actual
 '
 
+test_expect_success 'fsck warning on symlink target with excessive length' '
+	symlink_target=$(printf "pattern %032769d" 1 | git hash-object -w --stdin) &&
+	test_when_finished "remove_object $symlink_target" &&
+	tree=$(printf "120000 blob %s\t%s\n" $symlink_target symlink | git mktree) &&
+	test_when_finished "remove_object $tree" &&
+	cat >expected <<-EOF &&
+	warning in blob $symlink_target: symlinkTargetLength: symlink target too long
+	EOF
+	git fsck --no-dangling >actual 2>&1 &&
+	test_cmp expected actual
+'
+
+test_expect_success 'fsck warning on symlink target pointing inside git dir' '
+	gitdir=$(printf ".git" | git hash-object -w --stdin) &&
+	ntfs_gitdir=$(printf "GIT~1" | git hash-object -w --stdin) &&
+	hfs_gitdir=$(printf ".${u200c}git" | git hash-object -w --stdin) &&
+	inside_gitdir=$(printf "nested/.git/config" | git hash-object -w --stdin) &&
+	benign_target=$(printf "legit/config" | git hash-object -w --stdin) &&
+	tree=$(printf "120000 blob %s\t%s\n" \
+		$benign_target benign_target \
+		$gitdir gitdir \
+		$hfs_gitdir hfs_gitdir \
+		$inside_gitdir inside_gitdir \
+		$ntfs_gitdir ntfs_gitdir |
+		git mktree) &&
+	for o in $gitdir $ntfs_gitdir $hfs_gitdir $inside_gitdir $benign_target $tree
+	do
+		test_when_finished "remove_object $o" || return 1
+	done &&
+	printf "warning in blob %s: symlinkPointsToGitDir: symlink target points to git dir\n" \
+		$gitdir $hfs_gitdir $inside_gitdir $ntfs_gitdir |
+	sort >expected &&
+	git fsck --no-dangling >actual 2>&1 &&
+	sort actual >actual.sorted &&
+	test_cmp expected actual.sorted
+'
+
 test_done
diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh
index 2ef3579fa7..7ee12e6f48 100755
--- a/t/t1800-hook.sh
+++ b/t/t1800-hook.sh
@@ -177,4 +177,19 @@ test_expect_success 'git hook run a hook with a bad shebang' '
 	test_cmp expect actual
 '
 
+test_expect_success 'clone protections' '
+	test_config core.hooksPath "$(pwd)/my-hooks" &&
+	mkdir -p my-hooks &&
+	write_script my-hooks/test-hook <<-\EOF &&
+	echo Hook ran $1
+	EOF
+
+	git hook run test-hook 2>err &&
+	grep "Hook ran" err &&
+	test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \
+		git hook run test-hook 2>err &&
+	grep "active .core.hooksPath" err &&
+	! grep "Hook ran" err
+'
+
 test_done
diff --git a/t/t5510-fetch.sh b/t/t5510-fetch.sh
index c0b745e33b..211afe13e9 100755
--- a/t/t5510-fetch.sh
+++ b/t/t5510-fetch.sh
@@ -1240,6 +1240,30 @@ EOF
 	test_cmp fatal-expect fatal-actual
 '
 
+test_expect_success SYMLINKS 'clone does not get confused by a D/F conflict' '
+	git init df-conflict &&
+	(
+		cd df-conflict &&
+		ln -s .git a &&
+		git add a &&
+		test_tick &&
+		git commit -m symlink &&
+		test_commit a- &&
+		rm a &&
+		mkdir -p a/hooks &&
+		write_script a/hooks/post-checkout <<-EOF &&
+		echo WHOOPSIE >&2
+		echo whoopsie >"$TRASH_DIRECTORY"/whoops
+		EOF
+		git add a/hooks/post-checkout &&
+		test_tick &&
+		git commit -m post-checkout
+	) &&
+	git clone df-conflict clone 2>err &&
+	! grep WHOOPS err &&
+	test_path_is_missing whoops
+'
+
 . "$TEST_DIRECTORY"/lib-httpd.sh
 start_httpd
 
diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh
index b2524a24c2..20deca0231 100755
--- a/t/t5601-clone.sh
+++ b/t/t5601-clone.sh
@@ -633,6 +633,21 @@ test_expect_success CASE_INSENSITIVE_FS 'colliding file detection' '
 	test_i18ngrep "the following paths have collided" icasefs/warning
 '
 
+test_expect_success CASE_INSENSITIVE_FS,SYMLINKS \
+		'colliding symlink/directory keeps directory' '
+	git init icasefs-colliding-symlink &&
+	(
+		cd icasefs-colliding-symlink &&
+		a=$(printf a | git hash-object -w --stdin) &&
+		printf "100644 %s 0\tA/dir/b\n120000 %s 0\ta\n" $a $a >idx &&
+		git update-index --index-info <idx &&
+		test_tick &&
+		git commit -m initial
+	) &&
+	git clone icasefs-colliding-symlink icasefs-colliding-symlink-clone &&
+	test_file_not_empty icasefs-colliding-symlink-clone/A/dir/b
+'
+
 test_expect_success 'clone with GIT_DEFAULT_HASH' '
 	(
 		sane_unset GIT_DEFAULT_HASH &&
@@ -756,6 +771,57 @@ test_expect_success 'batch missing blob request does not inadvertently try to fe
 	git clone --filter=blob:limit=0 "file://$(pwd)/server" client
 '
 
+test_expect_success 'clone with init.templatedir runs hooks' '
+	git init tmpl/hooks &&
+	write_script tmpl/hooks/post-checkout <<-EOF &&
+	echo HOOK-RUN >&2
+	echo I was here >hook.run
+	EOF
+	git -C tmpl/hooks add . &&
+	test_tick &&
+	git -C tmpl/hooks commit -m post-checkout &&
+
+	test_when_finished "git config --global --unset init.templateDir || :" &&
+	test_when_finished "git config --unset init.templateDir || :" &&
+	(
+		sane_unset GIT_TEMPLATE_DIR &&
+		NO_SET_GIT_TEMPLATE_DIR=t &&
+		export NO_SET_GIT_TEMPLATE_DIR &&
+
+		git -c core.hooksPath="$(pwd)/tmpl/hooks" \
+			clone tmpl/hooks hook-run-hookspath 2>err &&
+		! grep "active .* hook found" err &&
+		test_path_is_file hook-run-hookspath/hook.run &&
+
+		git -c init.templateDir="$(pwd)/tmpl" \
+			clone tmpl/hooks hook-run-config 2>err &&
+		! grep "active .* hook found" err &&
+		test_path_is_file hook-run-config/hook.run &&
+
+		git clone --template=tmpl tmpl/hooks hook-run-option 2>err &&
+		! grep "active .* hook found" err &&
+		test_path_is_file hook-run-option/hook.run &&
+
+		git config --global init.templateDir "$(pwd)/tmpl" &&
+		git clone tmpl/hooks hook-run-global-config 2>err &&
+		git config --global --unset init.templateDir &&
+		! grep "active .* hook found" err &&
+		test_path_is_file hook-run-global-config/hook.run &&
+
+		# clone ignores local `init.templateDir`; need to create
+		# a new repository because we deleted `.git/` in the
+		# `setup` test case above
+		git init local-clone &&
+		cd local-clone &&
+
+		git config init.templateDir "$(pwd)/../tmpl" &&
+		git clone ../tmpl/hooks hook-run-local-config 2>err &&
+		git config --unset init.templateDir &&
+		! grep "active .* hook found" err &&
+		test_path_is_missing hook-run-local-config/hook.run
+	)
+'
+
 . "$TEST_DIRECTORY"/lib-httpd.sh
 start_httpd
 
diff --git a/t/t7400-submodule-basic.sh b/t/t7400-submodule-basic.sh
index eae6a46ef3..3e8cf9b885 100755
--- a/t/t7400-submodule-basic.sh
+++ b/t/t7400-submodule-basic.sh
@@ -1436,4 +1436,35 @@ test_expect_success 'recursive clone respects -q' '
 	test_must_be_empty actual
 '
 
+test_expect_success '`submodule init` and `init.templateDir`' '
+	mkdir -p tmpl/hooks &&
+	write_script tmpl/hooks/post-checkout <<-EOF &&
+	echo HOOK-RUN >&2
+	echo I was here >hook.run
+	exit 1
+	EOF
+
+	test_config init.templateDir "$(pwd)/tmpl" &&
+	test_when_finished \
+		"git config --global --unset init.templateDir || true" &&
+	(
+		sane_unset GIT_TEMPLATE_DIR &&
+		NO_SET_GIT_TEMPLATE_DIR=t &&
+		export NO_SET_GIT_TEMPLATE_DIR &&
+
+		git config --global init.templateDir "$(pwd)/tmpl" &&
+		test_must_fail git submodule \
+			add "$submodurl" sub-global 2>err &&
+		git config --global --unset init.templateDir &&
+		grep HOOK-RUN err &&
+		test_path_is_file sub-global/hook.run &&
+
+		git config init.templateDir "$(pwd)/tmpl" &&
+		git submodule add "$submodurl" sub-local 2>err &&
+		git config --unset init.templateDir &&
+		! grep HOOK-RUN err &&
+		test_path_is_missing sub-local/hook.run
+	)
+'
+
 test_done
diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh
index 63c24f7f7c..dae87090e0 100755
--- a/t/t7406-submodule-update.sh
+++ b/t/t7406-submodule-update.sh
@@ -1222,8 +1222,8 @@ test_expect_success CASE_INSENSITIVE_FS,SYMLINKS \
 	) &&
 
 	test_path_is_missing "$tell_tale_path" &&
-	test_must_fail git clone --recursive captain hooked 2>err &&
-	grep "directory not empty" err &&
+	git clone --recursive captain hooked 2>err &&
+	! grep HOOK-RUN err &&
 	test_path_is_missing "$tell_tale_path"
 '
author	Johannes Schindelin <johannes.schindelin@gmx.de>	2024-03-31 00:22:41 +0100
committer	Johannes Schindelin <johannes.schindelin@gmx.de>	2024-04-19 12:38:29 +0200
commit	2b3d38a6b12ffc949c98eaacd67e8e383c847529 (patch)
tree	b8c29bc2c4fdf4a1bcf34a1acdde2e429168724c /t
parent	86cb6a3f059968d031fdf6ed49ab38a7ae00847f (diff)
parent	a33fea0886cfa016d313d2bd66bdd08615bffbc9 (diff)
download	git-2b3d38a6b12ffc949c98eaacd67e8e383c847529.tar.gz