Show More
@@ -1550,6 +1550,9 b' class gitsubrepo(abstractsubrepo):' | |||||
1550 |
|
1550 | |||
1551 | def _fetch(self, source, revision): |
|
1551 | def _fetch(self, source, revision): | |
1552 | if self._gitmissing(): |
|
1552 | if self._gitmissing(): | |
|
1553 | # SEC: check for safe ssh url | |||
|
1554 | util.checksafessh(source) | |||
|
1555 | ||||
1553 | source = self._abssource(source) |
|
1556 | source = self._abssource(source) | |
1554 | self.ui.status(_('cloning subrepo %s from %s\n') % |
|
1557 | self.ui.status(_('cloning subrepo %s from %s\n') % | |
1555 | (self._relpath, source)) |
|
1558 | (self._relpath, source)) |
@@ -1182,3 +1182,58 b' whitelisting of ext should be respected ' | |||||
1182 | pwned: you asked for it |
|
1182 | pwned: you asked for it | |
1183 |
|
1183 | |||
1184 | #endif |
|
1184 | #endif | |
|
1185 | ||||
|
1186 | test for ssh exploit with git subrepos 2017-07-25 | |||
|
1187 | ||||
|
1188 | $ hg init malicious-proxycommand | |||
|
1189 | $ cd malicious-proxycommand | |||
|
1190 | $ echo 's = [git]ssh://-oProxyCommand=rm${IFS}non-existent/path' > .hgsub | |||
|
1191 | $ git init s | |||
|
1192 | Initialized empty Git repository in $TESTTMP/tc/malicious-proxycommand/s/.git/ | |||
|
1193 | $ cd s | |||
|
1194 | $ git commit --allow-empty -m 'empty' | |||
|
1195 | [master (root-commit) 153f934] empty | |||
|
1196 | $ cd .. | |||
|
1197 | $ hg add .hgsub | |||
|
1198 | $ hg ci -m 'add subrepo' | |||
|
1199 | $ cd .. | |||
|
1200 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1201 | updating to branch default | |||
|
1202 | abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepository "s") | |||
|
1203 | [255] | |||
|
1204 | ||||
|
1205 | also check that a percent encoded '-' (%2D) doesn't work | |||
|
1206 | ||||
|
1207 | $ cd malicious-proxycommand | |||
|
1208 | $ echo 's = [git]ssh://%2DoProxyCommand=rm${IFS}non-existent/path' > .hgsub | |||
|
1209 | $ hg ci -m 'change url to percent encoded' | |||
|
1210 | $ cd .. | |||
|
1211 | $ rm -r malicious-proxycommand-clone | |||
|
1212 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1213 | updating to branch default | |||
|
1214 | abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepository "s") | |||
|
1215 | [255] | |||
|
1216 | ||||
|
1217 | also check for a pipe | |||
|
1218 | ||||
|
1219 | $ cd malicious-proxycommand | |||
|
1220 | $ echo 's = [git]ssh://fakehost|shell/path' > .hgsub | |||
|
1221 | $ hg ci -m 'change url to pipe' | |||
|
1222 | $ cd .. | |||
|
1223 | $ rm -r malicious-proxycommand-clone | |||
|
1224 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1225 | updating to branch default | |||
|
1226 | abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") | |||
|
1227 | [255] | |||
|
1228 | ||||
|
1229 | also check that a percent encoded '|' (%7C) doesn't work | |||
|
1230 | ||||
|
1231 | $ cd malicious-proxycommand | |||
|
1232 | $ echo 's = [git]ssh://fakehost%7Cshell/path' > .hgsub | |||
|
1233 | $ hg ci -m 'change url to percent encoded' | |||
|
1234 | $ cd .. | |||
|
1235 | $ rm -r malicious-proxycommand-clone | |||
|
1236 | $ hg clone malicious-proxycommand malicious-proxycommand-clone | |||
|
1237 | updating to branch default | |||
|
1238 | abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") | |||
|
1239 | [255] |
General Comments 0
You need to be logged in to leave comments.
Login now