sideband: mask control characters

The output of `git clone` is a vital component for understanding what
has happened when things go wrong. However, these logs are partially
under the control of the remote server (via the "sideband", which
typically contains what the remote `git pack-objects` process sends to
`stderr`), and is currently not sanitized by Git.

This makes Git susceptible to ANSI escape sequence injection (see
CWE-150, https://cwe.mitre.org/data/definitions/150.html), which allows
attackers to corrupt terminal state, to hide information, and even to
insert characters into the input buffer (i.e. as if the user had typed
those characters).

To plug this vulnerability, disallow any control character in the
sideband, replacing them instead with the common `^<letter/symbol>`
(e.g. `^[` for `\x1b`, `^A` for `\x01`).

There is likely a need for more fine-grained controls instead of using a
"heavy hammer" like this, which will be introduced subsequently.

Helped-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/sideband.c b/sideband.c
index 02805573fab85d602a83e5bc54dfb5ba404ab44b..fc1805dcf87d24dccf43153a0aef34279a328c27 100644 (file)
--- a/sideband.c
+++ b/sideband.c
@@ -65,6 +65,19 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
                list_config_item(list, prefix, keywords[i].keyword);
 }
 
+static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
+{
+       strbuf_grow(dest, n);
+       for (; n && *src; src++, n--) {
+               if (!iscntrl(*src) || *src == '\t' || *src == '\n')
+                       strbuf_addch(dest, *src);
+               else {
+                       strbuf_addch(dest, '^');
+                       strbuf_addch(dest, *src == 0x7f ? '?' : 0x40 + *src);
+               }
+       }
+}
+
 /*
  * Optionally highlight one keyword in remote output if it appears at the start
  * of the line. This should be called for a single line only, which is
@@ -80,7 +93,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
        int i;
 
        if (!want_color_stderr(use_sideband_colors())) {
-               strbuf_add(dest, src, n);
+               strbuf_add_sanitized(dest, src, n);
                return;
        }
 
@@ -113,7 +126,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
                }
        }
 
-       strbuf_add(dest, src, n);
+       strbuf_add_sanitized(dest, src, n);
 }
 
 

diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
index 516b22fd9637ea6d7563100167088e8109180c9d..f4712f4161c0b536fd6255c7cd7ba86678d8a524 100755 (executable)
--- a/t/t5409-colorize-remote-messages.sh
+++ b/t/t5409-colorize-remote-messages.sh
@@ -99,4 +99,16 @@ test_expect_success 'fallback to color.ui' '
        grep "<BOLD;RED>error<RESET>: error" decoded
 '
 
+test_expect_success 'disallow (color) control sequences in sideband' '
+       write_script .git/color-me-surprised <<-\EOF &&
+       printf "error: Have you \\033[31mread\\033[m this?\\n" >&2
+       exec "$@"
+       EOF
+       test_config_global uploadPack.packObjectsHook ./color-me-surprised &&
+       test_commit need-at-least-one-commit &&
+       git clone --no-local . throw-away 2>stderr &&
+       test_decode_color <stderr >decoded &&
+       test_grep ! RED decoded
+'
+
 test_done