t5510: verify that D/F confusion cannot lead to an RCE

The most critical vulnerabilities in Git lead to a Remote Code Execution
("RCE"), i.e. the ability for an attacker to have malicious code being
run as part of a Git operation that is not expected to run said code,
such has hooks delivered as part of a `git clone`.

A couple of parent commits ago, a bug was fixed that let Git be confused
by the presence of a path `a-` to mistakenly assume that a directory
`a/` can safely be created without removing an existing `a` that is a
symbolic link.

This bug did not represent an exploitable vulnerability on its
own; Let's make sure it stays that way.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

diff --git a/t/t5510-fetch.sh b/t/t5510-fetch.sh
index c0b745e33b8a52b6c2defda1fa04ef1b8c202841..211afe13e9f0a9ef47edb0df09c21d3f9a1f6802 100755 (executable)
--- a/t/t5510-fetch.sh
+++ b/t/t5510-fetch.sh
@@ -1240,6 +1240,30 @@ EOF
        test_cmp fatal-expect fatal-actual
 '
 
+test_expect_success SYMLINKS 'clone does not get confused by a D/F conflict' '
+       git init df-conflict &&
+       (
+               cd df-conflict &&
+               ln -s .git a &&
+               git add a &&
+               test_tick &&
+               git commit -m symlink &&
+               test_commit a- &&
+               rm a &&
+               mkdir -p a/hooks &&
+               write_script a/hooks/post-checkout <<-EOF &&
+               echo WHOOPSIE >&2
+               echo whoopsie >"$TRASH_DIRECTORY"/whoops
+               EOF
+               git add a/hooks/post-checkout &&
+               test_tick &&
+               git commit -m post-checkout
+       ) &&
+       git clone df-conflict clone 2>err &&
+       ! grep WHOOPS err &&
+       test_path_is_missing whoops
+'
+
 . "$TEST_DIRECTORY"/lib-httpd.sh
 start_httpd