Merge branch 'rs/apply-avoid-over-reading' into maint
[gitweb.git] / t / t5550-http-fetch-dumb.sh
index 7641417b4a3848fa9d065572e5a8248fea5c7574..8552184e741fe2465e746a3ac42d19edddb15576 100755 (executable)
@@ -20,8 +20,9 @@ test_expect_success 'create http-accessible bare repository with loose objects'
        (cd "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
         git config core.bare true &&
         mkdir -p hooks &&
-        echo "exec git update-server-info" >hooks/post-update &&
-        chmod +x hooks/post-update &&
+        write_script "hooks/post-update" <<-\EOF &&
+        exec git update-server-info
+       EOF
         hooks/post-update
        ) &&
        git remote add public "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
@@ -34,6 +35,15 @@ test_expect_success 'clone http repository' '
        test_cmp file clone/file
 '
 
+test_expect_success 'list refs from outside any repository' '
+       cat >expect <<-EOF &&
+       $(git rev-parse master) HEAD
+       $(git rev-parse master) refs/heads/master
+       EOF
+       nongit git ls-remote "$HTTPD_URL/dumb/repo.git" >actual &&
+       test_cmp expect actual
+'
+
 test_expect_success 'create password-protected repository' '
        mkdir -p "$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/" &&
        cp -Rf "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" \
@@ -307,5 +317,85 @@ test_expect_success 'remote-http complains cleanly about malformed urls' '
        test_must_fail git remote-http http::/example.com/repo.git
 '
 
+test_expect_success 'redirects can be forbidden/allowed' '
+       test_must_fail git -c http.followRedirects=false \
+               clone $HTTPD_URL/dumb-redir/repo.git dumb-redir &&
+       git -c http.followRedirects=true \
+               clone $HTTPD_URL/dumb-redir/repo.git dumb-redir 2>stderr
+'
+
+test_expect_success 'redirects are reported to stderr' '
+       # just look for a snippet of the redirected-to URL
+       test_i18ngrep /dumb/ stderr
+'
+
+test_expect_success 'non-initial redirects can be forbidden' '
+       test_must_fail git -c http.followRedirects=initial \
+               clone $HTTPD_URL/redir-objects/repo.git redir-objects &&
+       git -c http.followRedirects=true \
+               clone $HTTPD_URL/redir-objects/repo.git redir-objects
+'
+
+test_expect_success 'http.followRedirects defaults to "initial"' '
+       test_must_fail git clone $HTTPD_URL/redir-objects/repo.git default
+'
+
+# The goal is for a clone of the "evil" repository, which has no objects
+# itself, to cause the client to fetch objects from the "victim" repository.
+test_expect_success 'set up evil alternates scheme' '
+       victim=$HTTPD_DOCUMENT_ROOT_PATH/victim.git &&
+       git init --bare "$victim" &&
+       git -C "$victim" --work-tree=. commit --allow-empty -m secret &&
+       git -C "$victim" repack -ad &&
+       git -C "$victim" update-server-info &&
+       sha1=$(git -C "$victim" rev-parse HEAD) &&
+
+       evil=$HTTPD_DOCUMENT_ROOT_PATH/evil.git &&
+       git init --bare "$evil" &&
+       # do this by hand to avoid object existence check
+       printf "%s\\t%s\\n" $sha1 refs/heads/master >"$evil/info/refs"
+'
+
+# Here we'll just redirect via HTTP. In a real-world attack these would be on
+# different servers, but we should reject it either way.
+test_expect_success 'http-alternates is a non-initial redirect' '
+       echo "$HTTPD_URL/dumb/victim.git/objects" \
+               >"$evil/objects/info/http-alternates" &&
+       test_must_fail git -c http.followRedirects=initial \
+               clone $HTTPD_URL/dumb/evil.git evil-initial &&
+       git -c http.followRedirects=true \
+               clone $HTTPD_URL/dumb/evil.git evil-initial
+'
+
+# Curl supports a lot of protocols that we'd prefer not to allow
+# http-alternates to use, but it's hard to test whether curl has
+# accessed, say, the SMTP protocol, because we are not running an SMTP server.
+# But we can check that it does not allow access to file://, which would
+# otherwise allow this clone to complete.
+test_expect_success 'http-alternates cannot point at funny protocols' '
+       echo "file://$victim/objects" >"$evil/objects/info/http-alternates" &&
+       test_must_fail git -c http.followRedirects=true \
+               clone "$HTTPD_URL/dumb/evil.git" evil-file
+'
+
+test_expect_success 'http-alternates triggers not-from-user protocol check' '
+       echo "$HTTPD_URL/dumb/victim.git/objects" \
+               >"$evil/objects/info/http-alternates" &&
+       test_config_global http.followRedirects true &&
+       test_must_fail git -c protocol.http.allow=user \
+               clone $HTTPD_URL/dumb/evil.git evil-user &&
+       git -c protocol.http.allow=always \
+               clone $HTTPD_URL/dumb/evil.git evil-user
+'
+
+test_expect_success 'can redirect through non-"info/refs?service=git-upload-pack" URL' '
+       git clone "$HTTPD_URL/redir-to/dumb/repo.git"
+'
+
+test_expect_success 'print HTTP error when any intermediate redirect throws error' '
+       test_must_fail git clone "$HTTPD_URL/redir-to/502" 2> stderr &&
+       test_i18ngrep "unable to access.*/redir-to/502" stderr
+'
+
 stop_httpd
 test_done