Show More
@@ -1543,6 +1543,9 b' class gitsubrepo(abstractsubrepo):' | |||||
1543 |
|
1543 | |||
1544 | def _fetch(self, source, revision): |
|
1544 | def _fetch(self, source, revision): | |
1545 | if self._gitmissing(): |
|
1545 | if self._gitmissing(): | |
|
1546 | # SEC: check for safe ssh url | |||
|
1547 | util.checksafessh(source) | |||
|
1548 | ||||
1546 | source = self._abssource(source) |
|
1549 | source = self._abssource(source) | |
1547 | self.ui.status(_('cloning subrepo %s from %s\n') % |
|
1550 | self.ui.status(_('cloning subrepo %s from %s\n') % | |
1548 | (self._relpath, source)) |
|
1551 | (self._relpath, source)) |
@@ -1173,3 +1173,58 b' whitelisting of ext should be respected ' | |||||
1173 | [255] |
|
1173 | [255] | |
1174 | $ f -Dq pwned.txt |
|
1174 | $ f -Dq pwned.txt | |
1175 | pwned: you asked for it |
|
1175 | pwned: you asked for it | |
|
1176 | ||||
|
1177 | test for ssh exploit with git subrepos 2017-07-25 | |||
|
1178 | ||||
|
1179 | $ hg init malicious-proxycommand | |||
|
1180 | $ cd malicious-proxycommand | |||
|
1181 | $ echo 's = [git]ssh://-oProxyCommand=rm${IFS}non-existent/path' > .hgsub | |||
|
1182 | $ git init s | |||
|
1183 | Initialized empty Git repository in $TESTTMP/tc/malicious-proxycommand/s/.git/ | |||
|
1184 | $ cd s | |||
|
1185 | $ git commit --allow-empty -m 'empty' | |||
|
1186 | [master (root-commit) 153f934] empty | |||
|
1187 | $ cd .. | |||
|
1188 | $ hg add .hgsub | |||
|
1189 | $ hg ci -m 'add subrepo' | |||
|
1190 | $ cd .. | |||
|
1191 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1192 | updating to branch default | |||
|
1193 | abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepo s) | |||
|
1194 | [255] | |||
|
1195 | ||||
|
1196 | also check that a percent encoded '-' (%2D) doesn't work | |||
|
1197 | ||||
|
1198 | $ cd malicious-proxycommand | |||
|
1199 | $ echo 's = [git]ssh://%2DoProxyCommand=rm${IFS}non-existent/path' > .hgsub | |||
|
1200 | $ hg ci -m 'change url to percent encoded' | |||
|
1201 | $ cd .. | |||
|
1202 | $ rm -r malicious-proxycommand-clone | |||
|
1203 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1204 | updating to branch default | |||
|
1205 | abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepo s) | |||
|
1206 | [255] | |||
|
1207 | ||||
|
1208 | also check for a pipe | |||
|
1209 | ||||
|
1210 | $ cd malicious-proxycommand | |||
|
1211 | $ echo 's = [git]ssh://fakehost|shell/path' > .hgsub | |||
|
1212 | $ hg ci -m 'change url to pipe' | |||
|
1213 | $ cd .. | |||
|
1214 | $ rm -r malicious-proxycommand-clone | |||
|
1215 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1216 | updating to branch default | |||
|
1217 | abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s) | |||
|
1218 | [255] | |||
|
1219 | ||||
|
1220 | also check that a percent encoded '|' (%7C) doesn't work | |||
|
1221 | ||||
|
1222 | $ cd malicious-proxycommand | |||
|
1223 | $ echo 's = [git]ssh://fakehost%7Cshell/path' > .hgsub | |||
|
1224 | $ hg ci -m 'change url to percent encoded' | |||
|
1225 | $ cd .. | |||
|
1226 | $ rm -r malicious-proxycommand-clone | |||
|
1227 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1228 | updating to branch default | |||
|
1229 | abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s) | |||
|
1230 | [255] |
General Comments 0
You need to be logged in to leave comments.
Login now