From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: Jonathan Nieder <jrnieder@gmail.com>, git@vger.kernel.org
Subject: Re: [PATCH v2 7/8] verify_path(): disallow symlinks in .gitattributes and .gitignore
Date: Tue, 27 Oct 2020 15:00:36 -0700 [thread overview]
Message-ID: <xmqqv9ev9vnf.fsf@gitster.c.googlers.com> (raw)
In-Reply-To: <20201027075853.GH3005508@coredump.intra.peff.net> (Jeff King's message of "Tue, 27 Oct 2020 03:58:53 -0400")
Jeff King <peff@peff.net> writes:
> diff --git a/environment.c b/environment.c
> index bb518c61cd..7c233e0e0e 100644
> --- a/environment.c
> +++ b/environment.c
> @@ -73,6 +73,7 @@ int merge_log_config = -1;
> int precomposed_unicode = -1; /* see probe_utf8_pathname_composition() */
> unsigned long pack_size_limit_cfg;
> enum log_refs_config log_all_ref_updates = LOG_REFS_UNSET;
> +int allow_external_symlinks = 1;
OK, so by default it is not blocked...
> +static int symlink_leaves_repo(const char *target, const char *linkpath)
> +{
> + /*
> + * Absolute paths are always considered to leave the repository (even
> + * if they happen to point to the working tree path).
> + */
> + if (is_absolute_path(target))
> + return 1;
Very sensible.
> + /*
> + * Allow relative paths that start with a sequence of "../",
> + * as long as they do not break out of the symlink's root.
> + * This loop will detect break-out cases and return; otherwise, at the
> + * end of the loop "target" will point to the first non-".." component.
> + *
> + * We count the depth of linkpath by eating up directory components left
> + * to right. Technically the symlink would resolve right-to-left, but
> + * we don't care about the actual values, only the number.
> + */
> + while (target[0] == '.') {
> + if (!target[1]) {
> + /* trailing "." -- ignore */
> + target++;
> + } else if (is_dir_sep(target[1])) {
> + /* "./" -- ignore */
> + target += 2;
> + } else if (target[1] == '.' &&
> + (!target[2] || is_dir_sep(target[2]))) {
> + /* ".." or "../" -- drop one from linkpath depth */
> + while (!is_dir_sep(*linkpath)) {
> + /* end-of-string; target exceeded our depth */
> + if (!*linkpath)
> + return 1;
> + linkpath++;
> + }
> + /* skip final "/" */
> + linkpath++;
> +
> + /* skip past ".." */
> + target += 2;
> + /* and "/" if present */
> + if (is_dir_sep(*target))
> + target++;
> + }
> + }
> +
> + /*
> + * Now we have a path in "target" that only go down into the tree.
> + * Disallow any interior "../", like "foo/../bar". These might be
> + * OK, but we cannot know unless we know whether "foo" is itself a
> + * symlink. So err on the side of caution.
> + */
> + while (*target) {
> + const char *v;
> + if (skip_prefix(target, "..", &v) && (!*v || is_dir_sep(*v)))
> + return 1;
> + target++;
> + }
> +
> + return 0;
> +}
> +
> +int safe_symlink(const char *target, const char *linkpath)
> +{
> + if (!allow_external_symlinks &&
> + symlink_leaves_repo(target, linkpath)) {
> + errno = EPERM;
> + return -1;
> + }
> +
> + return symlink(target, linkpath);
> +}
OK. This is only about blocking creation of new symbolic links that
goes outside the working tree. It obviously is a good thing to do.
We have some "symlink safety" in various parts of the system [*1*],
and I wonder if we can somehow consolidate the support to a more
central place.
Thanks.
[Footnote]
*1* For example, apply tries to be careful not to take the "path"
recorded in the incoming patch blindly, and instead checks if
any path component in it is a symbolic link before touching.
Similarly, callers of has_symlink_leading_path() all try to be
careful when the "path" they want to use to access a filesystem
entity has a symbolic link in the middle on the filesystem.
next prev parent reply other threads:[~2020-10-27 22:00 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-05 7:17 [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jeff King
2020-10-05 7:19 ` [PATCH 1/7] fsck_tree(): fix shadowed variable Jeff King
2020-10-05 7:44 ` Jonathan Nieder
2020-10-05 8:20 ` Jeff King
2020-10-05 8:29 ` Jonathan Nieder
2020-10-05 7:19 ` [PATCH 2/7] fsck_tree(): wrap some long lines Jeff King
2020-10-05 7:46 ` Jonathan Nieder
2020-10-05 7:19 ` [PATCH 3/7] t7415: rename to expand scope Jeff King
2020-10-05 7:50 ` Jonathan Nieder
2020-10-05 8:24 ` Jeff King
2020-10-05 8:34 ` Jonathan Nieder
2020-10-05 8:49 ` Jeff King
2020-10-05 7:20 ` [PATCH 4/7] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05 7:53 ` Jonathan Nieder
2020-10-05 8:30 ` Jeff King
2020-10-05 8:38 ` Jonathan Nieder
2020-10-05 7:21 ` [PATCH 5/7] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05 8:03 ` Jonathan Nieder
2020-10-05 8:40 ` Jeff King
2020-10-05 21:20 ` Johannes Schindelin
2020-10-06 14:01 ` Jeff King
2020-10-05 7:24 ` [PATCH 6/7] verify_path(): disallow symlinks in .gitattributes and .gitignore Jeff King
2020-10-05 8:09 ` Jonathan Nieder
2020-10-05 12:07 ` Jeff King
2020-10-05 7:25 ` [PATCH 7/7] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-05 8:12 ` Jonathan Nieder
2020-10-05 8:53 ` Jeff King
2020-10-05 7:32 ` [PATCH 0/7] forbidding symlinked .gitattributes and .gitignore Jonathan Nieder
2020-10-05 8:58 ` Jeff King
2020-10-05 12:16 ` [PATCH v2 0/8] " Jeff King
2020-10-05 12:16 ` [PATCH v2 1/8] fsck_tree(): fix shadowed variable Jeff King
2020-10-05 12:16 ` [PATCH v2 2/8] fsck_tree(): wrap some long lines Jeff King
2020-10-05 12:16 ` [PATCH v2 3/8] t7415: rename to expand scope Jeff King
2020-10-05 12:16 ` [PATCH v2 4/8] t7450: test verify_path() handling of gitmodules Jeff King
2020-10-05 12:16 ` [PATCH v2 5/8] t7450: test .gitmodules symlink matching against obscured names Jeff King
2020-10-05 12:16 ` [PATCH v2 6/8] t0060: test obscured .gitattributes and .gitignore matching Jeff King
2020-10-05 12:16 ` [PATCH v2 7/8] verify_path(): disallow symlinks in .gitattributes and .gitignore Jeff King
2020-10-27 3:35 ` Jonathan Nieder
2020-10-27 7:58 ` Jeff King
2020-10-27 22:00 ` Junio C Hamano [this message]
2020-10-28 9:41 ` Jeff King
2020-10-27 23:43 ` Jonathan Nieder
2020-10-28 19:18 ` Junio C Hamano
2020-10-05 12:16 ` [PATCH v2 8/8] fsck: complain when .gitattributes or .gitignore is a symlink Jeff King
2020-10-06 20:41 ` [PATCH v2 0/8] forbidding symlinked .gitattributes and .gitignore Junio C Hamano
2020-10-20 23:19 ` Philip Oakley
2020-10-23 8:17 ` [PATCH] documentation symlink restrictions for .git* files Jeff King
2020-10-23 8:27 ` Jeff King
2020-10-26 22:18 ` Philip Oakley
2020-10-26 22:53 ` Jeff King
2020-10-26 23:32 ` Junio C Hamano
2020-10-27 7:26 ` Jeff King
2020-10-27 18:45 ` Junio C Hamano
2020-10-27 21:00 ` Philip Oakley
2020-10-28 19:14 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqv9ev9vnf.fsf@gitster.c.googlers.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.