fsck: detect submodule urls starting with dash

Urls with leading dashes can cause mischief on older
versions of Git. We should detect them so that they can be
rejected by receive.fsckObjects, preventing modern versions
of git from being a vector by which attacks can spread.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/fsck.c b/fsck.c
index 9339f315131786c50c9fa10dd702fe20562e167e..c47285652723ab9eaec768e14bb78e1891156628 100644 (file)
--- a/fsck.c
+++ b/fsck.c
@@ -64,6 +64,7 @@ static struct oidset gitmodules_done = OIDSET_INIT;
        FUNC(GITMODULES_PARSE, ERROR) \
        FUNC(GITMODULES_NAME, ERROR) \
        FUNC(GITMODULES_SYMLINK, ERROR) \
+       FUNC(GITMODULES_URL, ERROR) \
        /* warnings */ \
        FUNC(BAD_FILEMODE, WARN) \
        FUNC(EMPTY_NAME, WARN) \
@@ -945,6 +946,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
                                    FSCK_MSG_GITMODULES_NAME,
                                    "disallowed submodule name: %s",
                                    name);
+       if (!strcmp(key, "url") && value &&
+           looks_like_command_line_option(value))
+               data->ret |= report(data->options, data->obj,
+                                   FSCK_MSG_GITMODULES_URL,
+                                   "disallowed submodule url: %s",
+                                   value);
        free(name);
 
        return 0;

diff --git a/t/t7416-submodule-dash-url.sh b/t/t7416-submodule-dash-url.sh
index 459193c9765063f341c0aa17ee567073cd1b59ff..1cd2c1c1ea2d713c0b589df3ae9b34d43e5697a4 100755 (executable)
--- a/t/t7416-submodule-dash-url.sh
+++ b/t/t7416-submodule-dash-url.sh
@@ -20,6 +20,13 @@ test_expect_success 'clone can recurse submodule' '
        test_cmp expect actual
 '
 
+test_expect_success 'fsck accepts protected dash' '
+       test_when_finished "rm -rf dst" &&
+       git init --bare dst &&
+       git -C dst config transfer.fsckObjects true &&
+       git push dst HEAD
+'
+
 test_expect_success 'remove ./ protection from .gitmodules url' '
        perl -i -pe "s{\./}{}" .gitmodules &&
        git commit -am "drop protection"
@@ -31,4 +38,12 @@ test_expect_success 'clone rejects unprotected dash' '
        test_i18ngrep ignoring err
 '
 
+test_expect_success 'fsck rejects unprotected dash' '
+       test_when_finished "rm -rf dst" &&
+       git init --bare dst &&
+       git -C dst config transfer.fsckObjects true &&
+       test_must_fail git push dst HEAD 2>err &&
+       grep gitmodulesUrl err
+'
+
 test_done