fsck: reject submodule.update = !command in .gitmodules

This allows hosting providers to detect whether they are being used
to attack users using malicious 'update = !command' settings in
.gitmodules.

Since ac1fbbda2013 (submodule: do not copy unknown update mode from
.gitmodules, 2013-12-02), in normal cases such settings have been
treated as 'update = none', so forbidding them should not produce any
collateral damage to legitimate uses.  A quick search does not reveal
any repositories making use of this construct, either.

Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

diff --git a/fsck.c b/fsck.c
index 2fc6bbca163194716a80b0ef6b5995b2cabb6fbd..0741e625860e38c15b2cd5c55e598f687511ca92 100644 (file)
--- a/fsck.c
+++ b/fsck.c
@@ -66,6 +66,7 @@ static struct oidset gitmodules_done = OIDSET_INIT;
        FUNC(GITMODULES_SYMLINK, ERROR) \
        FUNC(GITMODULES_URL, ERROR) \
        FUNC(GITMODULES_PATH, ERROR) \
+       FUNC(GITMODULES_UPDATE, ERROR) \
        /* warnings */ \
        FUNC(BAD_FILEMODE, WARN) \
        FUNC(EMPTY_NAME, WARN) \
@@ -975,6 +976,12 @@ static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
                                    FSCK_MSG_GITMODULES_PATH,
                                    "disallowed submodule path: %s",
                                    value);
+       if (!strcmp(key, "update") && value &&
+           parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
+               data->ret |= report(data->options, data->obj,
+                                   FSCK_MSG_GITMODULES_UPDATE,
+                                   "disallowed submodule update setting: %s",
+                                   value);
        free(name);
 
        return 0;

diff --git a/t/t7406-submodule-update.sh b/t/t7406-submodule-update.sh
index 779932457a531ad445b295e375a6289b2d14aefb..ceb5eed6e1bb4134d2efc72ed924a5b20ce359e0 100755 (executable)
--- a/t/t7406-submodule-update.sh
+++ b/t/t7406-submodule-update.sh
@@ -414,6 +414,20 @@ test_expect_success 'submodule update - command in .gitmodules is rejected' '
        test_must_fail git -C super submodule update submodule
 '
 
+test_expect_success 'fsck detects command in .gitmodules' '
+       git init command-in-gitmodules &&
+       (
+               cd command-in-gitmodules &&
+               git submodule add ../submodule submodule &&
+               test_commit adding-submodule &&
+
+               git config -f .gitmodules submodule.submodule.update "!false" &&
+               git add .gitmodules &&
+               test_commit configuring-update &&
+               test_must_fail git fsck
+       )
+'
+
 cat << EOF >expect
 Execution of 'false $submodulesha1' failed in submodule path 'submodule'
 EOF