git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Blake Burkhart <bburky@bburky.com>
To: git <git@vger.kernel.org>, Jeff King <peff@peff.net>
Subject: Limited local file inclusion with .mailmap symlinks and git-archive
Date: Sat, 13 Feb 2021 11:49:32 -0600	[thread overview]
Message-ID: <CAP3OtXj15f9XV=Rzz2oBXQ1TQH3WWKJGBbeaWrmp6Ha4ZTn9nA@mail.gmail.com> (raw)

Git's mailmap implementation first tries using the blob from the
repository, but also supports using a local (possibly uncommitted)
.mailmap file. When reading from the local file, git will follow
symlinks. If a symlink is committed to a repository named .mailmap,
git will parse the file on the other side of the symlink if the
repository is cloned locally.

Git log supports an %aN placeholder which prints the result of the
mailmap, if it is possible for this value to be sent to an attacker
this could become a local file inclusion concern. With git-archive it
is possible to use $Format:%aN$ to include this value in an exported
archive.

Running git on bare repos or using git archive --remote=... is
unaffected because a local file is never used, only the in-repo blob.

Git's mailmap parser is very forgiving, it reads in each line, skips
lines starting with #, then considers whatever it finds between < and
> as the email address. It is even possible to use binary files as a
.mailmap. As a demonstration I used a symlink to /proc/self/exe (which
itself is a symlink to /usr/bin/git). The string [--exec-path[= was
extracted from the binary as the author name.

git init mailmap
cd mailmap
ln -s /proc/self/exe .mailmap
echo "test export-subst" > .gitattributes
echo '$Format:%aN$' > test
git add .mailmap .gitattributes test
git commit -m "test" --author="foo <path>"
cd ..

# Pretend you're cloning from the internet...
git clone mailmap mailmap-clone
cd mailmap-clone
git archive --format=tar HEAD
# Output contains [--exec-path[=

These are unaffected:

cd ..
git --git-dir=mailmap/.git archive --format=tar HEAD
git archive --remote=git://localhost/ --format=tar HEAD

I reported this issue to the private security list first and discussed
this issue with Peff. This is similar to existing concerns with
.gitmodules, .gitattributes and .gitignore. Git already disallows
checking out a .gitmodules file from a repository, and I understand
there are in progress patches to add similar protection for
.gitattributes and .gitignore. Please ensure the .mailmap file gets
similar symlink protection.

Exploitability is limited because the targeted file must contain a
string formatted like <foo> known to the attacker, or attacker
controlled. Also, most automated build systems that checkout code are
sandboxed and prepared to run arbitrary code already (it is
technically possible to read potentially sensitive variables from
/proc/self/environ with this, but is very limited because it contains
null bytes).

--
Blake Burkhart

             reply	other threads:[~2021-02-13 17:50 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-13 17:49 Blake Burkhart [this message]
2021-02-15 23:17 ` Limited local file inclusion with .mailmap symlinks and git-archive Jeff King
2021-02-15 23:18   ` [PATCH 1/2] fsck: make symlinked .gitignore and .gitattributes a warning Jeff King
2021-02-16  0:38     ` Ævar Arnfjörð Bjarmason
2021-02-16  1:16       ` Jeff King
2021-02-16  1:56         ` Junio C Hamano
2021-02-16 12:54           ` Jeff King
2021-02-16 12:48         ` Jeff King
2021-02-16 14:43           ` [PATCH 0/6] open in-tree files with O_NOFOLLOW Jeff King
2021-02-16 14:44             ` [PATCH 1/6] add open_nofollow() helper Jeff King
2021-02-16 14:54               ` Jeff King
2021-02-16 15:44                 ` Taylor Blau
2021-02-16 16:02                   ` Jeff King
2021-02-16 16:07                     ` Taylor Blau
2021-02-16 16:11                       ` Taylor Blau
2021-02-16 16:19                         ` Jeff King
2021-02-16 14:44             ` [PATCH 2/6] attr: convert "macro_ok" into a flags field Jeff King
2021-02-16 14:44             ` [PATCH 3/6] exclude: add flags parameter to add_patterns() Jeff King
2021-02-16 14:44             ` [PATCH 4/6] attr: do not respect symlinks for in-tree .gitattributes Jeff King
2021-02-16 14:44             ` [PATCH 5/6] exclude: do not respect symlinks for in-tree .gitignore Jeff King
2021-02-16 14:44             ` [PATCH 6/6] mailmap: do not respect symlinks for in-tree .mailmap Jeff King
2021-02-16 14:57               ` Jeff King
2021-02-25 19:25             ` [PATCH 0/6] open in-tree files with O_NOFOLLOW Junio C Hamano
2021-02-26  6:35               ` Jeff King
2021-02-15 23:19   ` [PATCH 2/2] disallow symlinked .mailmap files Jeff King

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAP3OtXj15f9XV=Rzz2oBXQ1TQH3WWKJGBbeaWrmp6Ha4ZTn9nA@mail.gmail.com' \
    --to=bburky@bburky.com \
    --cc=git@vger.kernel.org \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).