fast-import: disallow "feature import-marks" by default

As with export-marks in the previous commit, import-marks can access the
filesystem. This is significantly less dangerous than export-marks
because it only involves reading from arbitrary paths, rather than
writing them. However, it could still be surprising and have security
implications (e.g., exfiltrating data from a service that accepts
fast-import streams).

Let's lump it (and its "if-exists" counterpart) in with export-marks,
and enable the in-stream version only if --allow-unsafe-features is set.

Signed-off-by: Jeff King <peff@peff.net>

diff --git a/Documentation/git-fast-import.txt b/Documentation/git-fast-import.txt
index fbb3f914f2408dee2fb92aa62228e387af697ee4..ff71fc29626dfc83bf7145520b58dbd30ad4967a 100644 (file)
--- a/Documentation/git-fast-import.txt
+++ b/Documentation/git-fast-import.txt
@@ -57,7 +57,8 @@ OPTIONS
        allowing fast-import to access the filesystem outside of the
        repository). These options are disabled by default, but can be
        allowed by providing this option on the command line.  This
-       currently impacts only the `feature export-marks` command.
+       currently impacts only the `export-marks`, `import-marks`, and
+       `import-marks-if-exists` feature commands.
 +
        Only enable this option if you trust the program generating the
        fast-import stream! This option is enabled automatically for

diff --git a/fast-import.c b/fast-import.c
index 967077ad0bf9273f35ae3fc639c1924a5071c023..93c3838254931901109d6722feb844bf98e3b7b2 100644 (file)
--- a/fast-import.c
+++ b/fast-import.c
@@ -3344,8 +3344,10 @@ static int parse_one_feature(const char *feature, int from_stream)
        if (skip_prefix(feature, "date-format=", &arg)) {
                option_date_format(arg);
        } else if (skip_prefix(feature, "import-marks=", &arg)) {
+               check_unsafe_feature("import-marks", from_stream);
                option_import_marks(arg, from_stream, 0);
        } else if (skip_prefix(feature, "import-marks-if-exists=", &arg)) {
+               check_unsafe_feature("import-marks-if-exists", from_stream);
                option_import_marks(arg, from_stream, 1);
        } else if (skip_prefix(feature, "export-marks=", &arg)) {
                check_unsafe_feature(feature, from_stream);

diff --git a/t/t9300-fast-import.sh b/t/t9300-fast-import.sh
index ba5a35c32c4c4a8849ed4999df5d759534704a7b..77104f9daac9837b712699ef49357e52f0e7c910 100755 (executable)
--- a/t/t9300-fast-import.sh
+++ b/t/t9300-fast-import.sh
@@ -2106,6 +2106,14 @@ test_expect_success 'R: abort on receiving feature after data command' '
        test_must_fail git fast-import <input
 '
 
+test_expect_success 'R: import-marks features forbidden by default' '
+       >git.marks &&
+       echo "feature import-marks=git.marks" >input &&
+       test_must_fail git fast-import <input &&
+       echo "feature import-marks-if-exists=git.marks" >input &&
+       test_must_fail git fast-import <input
+'
+
 test_expect_success 'R: only one import-marks feature allowed per stream' '
        >git.marks &&
        >git2.marks &&
@@ -2114,7 +2122,7 @@ test_expect_success 'R: only one import-marks feature allowed per stream' '
        feature import-marks=git2.marks
        EOF
 
-       test_must_fail git fast-import <input
+       test_must_fail git fast-import --allow-unsafe-features <input
 '
 
 test_expect_success 'R: export-marks feature forbidden by default' '
@@ -2210,7 +2218,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
        rm -f io.marks &&
        >expect &&
 
-       git fast-import --export-marks=io.marks <<-\EOF &&
+       git fast-import --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=not_io.marks
        EOF
        test_cmp expect io.marks &&
@@ -2221,7 +2230,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
        echo ":1 $blob" >expect &&
        echo ":2 $blob" >>expect &&
 
-       git fast-import --export-marks=io.marks <<-\EOF &&
+       git fast-import --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=io.marks
        blob
        mark :2
@@ -2234,7 +2244,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
        echo ":3 $blob" >>expect &&
 
        git fast-import --import-marks=io.marks \
-                       --export-marks=io.marks <<-\EOF &&
+                       --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=not_io.marks
        blob
        mark :3
@@ -2247,7 +2258,8 @@ test_expect_success 'R: feature import-marks-if-exists' '
        >expect &&
 
        git fast-import --import-marks-if-exists=not_io.marks \
-                       --export-marks=io.marks <<-\EOF &&
+                       --export-marks=io.marks \
+                       --allow-unsafe-features <<-\EOF &&
        feature import-marks-if-exists=io.marks
        EOF
        test_cmp expect io.marks