]>
Commit | Line | Data |
---|---|---|
58325b93 TB |
1 | #!/bin/sh |
2 | ||
3 | test_description='test local clone with ambiguous transport' | |
4 | ||
5 | . ./test-lib.sh | |
6 | . "$TEST_DIRECTORY/lib-httpd.sh" | |
7 | ||
8 | if ! test_have_prereq SYMLINKS | |
9 | then | |
10 | skip_all='skipping test, symlink support unavailable' | |
11 | test_done | |
12 | fi | |
13 | ||
14 | start_httpd | |
15 | ||
16 | REPO="$HTTPD_DOCUMENT_ROOT_PATH/sub.git" | |
17 | URI="$HTTPD_URL/dumb/sub.git" | |
18 | ||
19 | test_expect_success 'setup' ' | |
20 | mkdir -p sensitive && | |
21 | echo "secret" >sensitive/secret && | |
22 | ||
23 | git init --bare "$REPO" && | |
24 | test_commit_bulk -C "$REPO" --ref=main 1 && | |
25 | ||
26 | git -C "$REPO" update-ref HEAD main && | |
27 | git -C "$REPO" update-server-info && | |
28 | ||
29 | git init malicious && | |
30 | ( | |
31 | cd malicious && | |
32 | ||
33 | git submodule add "$URI" && | |
34 | ||
35 | mkdir -p repo/refs && | |
36 | touch repo/refs/.gitkeep && | |
37 | printf "ref: refs/heads/a" >repo/HEAD && | |
38 | ln -s "$(cd .. && pwd)/sensitive" repo/objects && | |
39 | ||
40 | mkdir -p "$HTTPD_URL/dumb" && | |
41 | ln -s "../../../.git/modules/sub/../../../repo/" "$URI" && | |
42 | ||
43 | git add . && | |
44 | git commit -m "initial commit" | |
45 | ) && | |
46 | ||
47 | # Delete all of the references in our malicious submodule to | |
48 | # avoid the client attempting to checkout any objects (which | |
49 | # will be missing, and thus will cause the clone to fail before | |
50 | # we can trigger the exploit). | |
51 | git -C "$REPO" for-each-ref --format="delete %(refname)" >in && | |
52 | git -C "$REPO" update-ref --stdin <in && | |
53 | git -C "$REPO" update-server-info | |
54 | ' | |
55 | ||
cf8f6ce0 | 56 | test_expect_success 'ambiguous transport does not lead to arbitrary file-inclusion' ' |
58325b93 | 57 | git clone malicious clone && |
cf8f6ce0 TB |
58 | test_must_fail git -C clone submodule update --init 2>err && |
59 | ||
60 | test_path_is_missing clone/.git/modules/sub/objects/secret && | |
61 | # We would actually expect "transport .file. not allowed" here, | |
62 | # but due to quirks of the URL detection in Git, we mis-parse | |
63 | # the absolute path as a bogus URL and die before that step. | |
64 | # | |
65 | # This works for now, and if we ever fix the URL detection, it | |
66 | # is OK to change this to detect the transport error. | |
67 | grep "protocol .* is not supported" err | |
58325b93 TB |
68 | ' |
69 | ||
70 | test_done |