Browse Source
DirCacheCheckout and CanonicalTreeParser cooperate. CanonicalTreeParser can detect malformed, potentially malicious tree entries and sets a flag, while DirCacheCheckout refuses to work with such paths. Malicious tree entries are ".", "..", ".git" (case insensitive), any name containing '/' and (on Windows '\') and also (on Windows) any paths ending in a combination of '.' or space or containing a ':'. We also forbid all special names like "con" etc on Windows. Some of the test can execute on any platform by enabling partial platform emulation. A new runtime exception, InvalidPathException, is introduced. For backwards compatibility it extends InvalidArgumentException. Change-Id: I86199105814b63d4340e5de0e471d0da6b579ead Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>stable-2.0
Robin Rosenberg
13 years ago
committed by
Matthias Sohn
9 changed files with 635 additions and 8 deletions
@ -0,0 +1,420 @@
|
||||
/* |
||||
* Copyright (C) 2011, Robin Rosenberg <robin.rosenberg@dewire.com> |
||||
* and other copyright owners as documented in the project's IP log. |
||||
* |
||||
* This program and the accompanying materials are made available under the |
||||
* terms of the Eclipse Distribution License v1.0 which accompanies this |
||||
* distribution, is reproduced below, and is available at |
||||
* http://www.eclipse.org/org/documents/edl-v10.php
|
||||
* |
||||
* All rights reserved. |
||||
* |
||||
* Redistribution and use in source and binary forms, with or without |
||||
* modification, are permitted provided that the following conditions are met: |
||||
* |
||||
* - Redistributions of source code must retain the above copyright notice, this |
||||
* list of conditions and the following disclaimer. |
||||
* |
||||
* - Redistributions in binary form must reproduce the above copyright notice, |
||||
* this list of conditions and the following disclaimer in the documentation |
||||
* and/or other materials provided with the distribution. |
||||
* |
||||
* - Neither the name of the Eclipse Foundation, Inc. nor the names of its |
||||
* contributors may be used to endorse or promote products derived from this |
||||
* software without specific prior written permission. |
||||
* |
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE |
||||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
||||
* POSSIBILITY OF SUCH DAMAGE. |
||||
*/ |
||||
package org.eclipse.jgit.lib; |
||||
|
||||
import static org.hamcrest.Matchers.startsWith; |
||||
import static org.junit.Assert.assertThat; |
||||
import static org.junit.Assert.fail; |
||||
|
||||
import java.io.File; |
||||
import java.io.IOException; |
||||
import java.util.Arrays; |
||||
|
||||
import org.eclipse.jgit.api.Git; |
||||
import org.eclipse.jgit.api.errors.CheckoutConflictException; |
||||
import org.eclipse.jgit.api.errors.InvalidRefNameException; |
||||
import org.eclipse.jgit.api.errors.JGitInternalException; |
||||
import org.eclipse.jgit.api.errors.RefAlreadyExistsException; |
||||
import org.eclipse.jgit.api.errors.RefNotFoundException; |
||||
import org.eclipse.jgit.dircache.InvalidPathException; |
||||
import org.eclipse.jgit.errors.IncorrectObjectTypeException; |
||||
import org.eclipse.jgit.errors.MissingObjectException; |
||||
import org.eclipse.jgit.junit.MockSystemReader; |
||||
import org.eclipse.jgit.revwalk.RevWalk; |
||||
import org.eclipse.jgit.util.SystemReader; |
||||
import org.junit.Test; |
||||
|
||||
public class DirCacheCheckoutMaliciousPathTest extends RepositoryTestCase { |
||||
protected ObjectId theHead; |
||||
protected ObjectId theMerge; |
||||
|
||||
@Test |
||||
public void testMaliciousAbsolutePathIsOk() throws Exception { |
||||
testMaliciousPathGoodFirstCheckout("ok"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsolutePathIsOkSecondCheckout() throws Exception { |
||||
testMaliciousPathGoodSecondCheckout("ok"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsolutePathIsOkTwoLevels() throws Exception { |
||||
testMaliciousPathGoodSecondCheckout("a", "ok"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsolutePath() throws Exception { |
||||
testMaliciousPathBadFirstCheckout("/tmp/x"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsolutePathSecondCheckout() throws Exception { |
||||
testMaliciousPathBadSecondCheckout("/tmp/x"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsolutePathTwoLevelsFirstBad() throws Exception { |
||||
testMaliciousPathBadFirstCheckout("/tmp/x", "y"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsolutePathTwoLevelsSecondBad() throws Exception { |
||||
testMaliciousPathBadFirstCheckout("y", "/tmp/x"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteCurDrivePathWindows() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("\\somepath"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteCurDrivePathWindowsOnUnix() |
||||
throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setUnix(); |
||||
testMaliciousPathGoodFirstCheckout("\\somepath"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteUNCPathWindows1() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("\\\\somepath"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteUNCPathWindows1OnUnix() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setUnix(); |
||||
testMaliciousPathGoodFirstCheckout("\\\\somepath"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteUNCPathWindows2() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("\\/somepath"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteUNCPathWindows2OnUnix() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setUnix(); |
||||
testMaliciousPathBadFirstCheckout("\\/somepath"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteWindowsPath1() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("c:\\temp\\x"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteWindowsPath1OnUnix() throws Exception { |
||||
if (File.separatorChar == '\\') |
||||
return; // cannot emulate Unix on Windows for this test
|
||||
((MockSystemReader) SystemReader.getInstance()).setUnix(); |
||||
testMaliciousPathGoodFirstCheckout("c:\\temp\\x"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousAbsoluteWindowsPath2() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setCurrentPlatform(); |
||||
testMaliciousPathBadFirstCheckout("c:/temp/x"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPath1() throws Exception { |
||||
testMaliciousPathBadFirstCheckout(".git/konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPath2() throws Exception { |
||||
testMaliciousPathBadFirstCheckout(".git", "konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPath1Case() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); // or OS X
|
||||
testMaliciousPathBadFirstCheckout(".Git/konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPath2Case() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); // or OS X
|
||||
testMaliciousPathBadFirstCheckout(".gIt", "konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPath3Case() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); // or OS X
|
||||
testMaliciousPathBadFirstCheckout(".giT", "konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPathEndSpaceWindows() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout(".git ", "konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPathEndSpaceUnixOk() throws Exception { |
||||
if (File.separatorChar == '\\') |
||||
return; // cannot emulate Unix on Windows for this test
|
||||
((MockSystemReader) SystemReader.getInstance()).setUnix(); |
||||
testMaliciousPathGoodFirstCheckout(".git ", "konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPathEndDotWindows1() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout(".git.", "konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPathEndDotWindows2() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout(".f."); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPathEndDotWindows3() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathGoodFirstCheckout(".f"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousGitPathEndDotUnixOk() throws Exception { |
||||
if (File.separatorChar == '\\') |
||||
return; // cannot emulate Unix on Windows for this test
|
||||
((MockSystemReader) SystemReader.getInstance()).setUnix(); |
||||
testMaliciousPathGoodFirstCheckout(".git.", "konfig"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousPathDotDot() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setCurrentPlatform(); |
||||
testMaliciousPathBadFirstCheckout("..", "no"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousPathDot() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setCurrentPlatform(); |
||||
testMaliciousPathBadFirstCheckout(".", "no"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousPathEmpty() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setCurrentPlatform(); |
||||
testMaliciousPathBadFirstCheckout("", "no"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousWindowsADS() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("some:path"); |
||||
} |
||||
|
||||
@Test |
||||
public void testMaliciousWindowsADSOnUnix() throws Exception { |
||||
if (File.separatorChar == '\\') |
||||
return; // cannot emulate Unix on Windows for this test
|
||||
((MockSystemReader) SystemReader.getInstance()).setUnix(); |
||||
testMaliciousPathGoodFirstCheckout("some:path"); |
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenNamesOnWindowsEgCon() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("con"); |
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenNamesOnWindowsEgConDotSuffix() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("con.txt"); |
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenNamesOnWindowsEgLpt1() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("lpt1"); |
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenNamesOnWindowsEgLpt1DotSuffix() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathBadFirstCheckout("lpt1.txt"); |
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenNamesOnWindowsEgDotCon() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathGoodFirstCheckout(".con"); |
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenNamesOnWindowsEgLpr() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathGoodFirstCheckout("lpt"); // good name
|
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenNamesOnWindowsEgCon1() throws Exception { |
||||
((MockSystemReader) SystemReader.getInstance()).setWindows(); |
||||
testMaliciousPathGoodFirstCheckout("con1"); // good name
|
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenWindowsNamesOnUnixEgCon() throws Exception { |
||||
if (File.separatorChar == '\\') |
||||
return; // cannot emulate Unix on Windows for this test
|
||||
testMaliciousPathGoodFirstCheckout("con"); |
||||
} |
||||
|
||||
@Test |
||||
public void testForbiddenWindowsNamesOnUnixEgLpt1() throws Exception { |
||||
if (File.separatorChar == '\\') |
||||
return; // cannot emulate Unix on Windows for this test
|
||||
testMaliciousPathGoodFirstCheckout("lpt1"); |
||||
} |
||||
|
||||
private void testMaliciousPathBadFirstCheckout(String... paths) |
||||
throws Exception { |
||||
testMaliciousPath(false, false, paths); |
||||
} |
||||
|
||||
private void testMaliciousPathBadSecondCheckout(String... paths) throws Exception { |
||||
testMaliciousPath(false, true, paths); |
||||
} |
||||
|
||||
private void testMaliciousPathGoodFirstCheckout(String... paths) |
||||
throws Exception { |
||||
testMaliciousPath(true, false, paths); |
||||
} |
||||
|
||||
private void testMaliciousPathGoodSecondCheckout(String... paths) throws Exception { |
||||
testMaliciousPath(true, true, paths); |
||||
} |
||||
|
||||
/** |
||||
* Create a bad tree and tries to check it out |
||||
* |
||||
* @param good |
||||
* true if we expect this to pass |
||||
* @param secondCheckout |
||||
* perform the actual test on the second checkout |
||||
* @param path |
||||
* to the blob, one or more levels |
||||
* @throws IOException |
||||
* @throws RefAlreadyExistsException |
||||
* @throws RefNotFoundException |
||||
* @throws InvalidRefNameException |
||||
* @throws MissingObjectException |
||||
* @throws IncorrectObjectTypeException |
||||
* @throws CheckoutConflictException |
||||
* @throws JGitInternalException |
||||
*/ |
||||
private void testMaliciousPath(boolean good, boolean secondCheckout, String... path) |
||||
throws IOException, RefAlreadyExistsException, |
||||
RefNotFoundException, InvalidRefNameException, |
||||
MissingObjectException, IncorrectObjectTypeException, |
||||
JGitInternalException, CheckoutConflictException { |
||||
Git git = new Git(db); |
||||
ObjectInserter newObjectInserter; |
||||
newObjectInserter = git.getRepository().newObjectInserter(); |
||||
ObjectId blobId = newObjectInserter.insert(Constants.OBJ_BLOB, |
||||
"data".getBytes()); |
||||
newObjectInserter = git.getRepository().newObjectInserter(); |
||||
FileMode mode = FileMode.REGULAR_FILE; |
||||
ObjectId insertId = blobId; |
||||
for (int i = path.length - 1; i >= 0; --i) { |
||||
TreeFormatter treeFormatter = new TreeFormatter(); |
||||
treeFormatter.append("goodpath", mode, insertId); |
||||
insertId = newObjectInserter.insert(treeFormatter); |
||||
mode = FileMode.TREE; |
||||
} |
||||
newObjectInserter = git.getRepository().newObjectInserter(); |
||||
CommitBuilder commitBuilder = new CommitBuilder(); |
||||
commitBuilder.setAuthor(author); |
||||
commitBuilder.setCommitter(committer); |
||||
commitBuilder.setMessage("foo#1"); |
||||
commitBuilder.setTreeId(insertId); |
||||
ObjectId firstCommitId = newObjectInserter.insert(commitBuilder); |
||||
|
||||
newObjectInserter = git.getRepository().newObjectInserter(); |
||||
mode = FileMode.REGULAR_FILE; |
||||
insertId = blobId; |
||||
for (int i = path.length - 1; i >= 0; --i) { |
||||
TreeFormatter treeFormatter = new TreeFormatter(); |
||||
treeFormatter.append(path[i], mode, insertId); |
||||
insertId = newObjectInserter.insert(treeFormatter); |
||||
mode = FileMode.TREE; |
||||
} |
||||
|
||||
// Create another commit
|
||||
commitBuilder = new CommitBuilder(); |
||||
commitBuilder.setAuthor(author); |
||||
commitBuilder.setCommitter(committer); |
||||
commitBuilder.setMessage("foo#2"); |
||||
commitBuilder.setTreeId(insertId); |
||||
commitBuilder.setParentId(firstCommitId); |
||||
ObjectId commitId = newObjectInserter.insert(commitBuilder); |
||||
|
||||
RevWalk revWalk = new RevWalk(git.getRepository()); |
||||
if (!secondCheckout) |
||||
git.checkout().setStartPoint(revWalk.parseCommit(firstCommitId)) |
||||
.setName("refs/heads/master").setCreateBranch(true).call(); |
||||
try { |
||||
if (secondCheckout) { |
||||
git.checkout().setStartPoint(revWalk.parseCommit(commitId)) |
||||
.setName("refs/heads/master").setCreateBranch(true) |
||||
.call(); |
||||
} else { |
||||
git.branchCreate().setName("refs/heads/next") |
||||
.setStartPoint(commitId.name()).call(); |
||||
git.checkout().setName("refs/heads/next") |
||||
.call(); |
||||
} |
||||
if (!good) |
||||
fail("Checkout of Tree " + Arrays.asList(path) + " should fail"); |
||||
} catch (InvalidPathException e) { |
||||
if (good) |
||||
throw e; |
||||
assertThat(e.getMessage(), startsWith("Invalid path: ")); |
||||
} |
||||
} |
||||
|
||||
} |
@ -0,0 +1,63 @@
|
||||
/* |
||||
* Copyright (C) 2011, Robin Rosenberg |
||||
* and other copyright owners as documented in the project's IP log. |
||||
* |
||||
* This program and the accompanying materials are made available |
||||
* under the terms of the Eclipse Distribution License v1.0 which |
||||
* accompanies this distribution, is reproduced below, and is |
||||
* available at http://www.eclipse.org/org/documents/edl-v10.php
|
||||
* |
||||
* All rights reserved. |
||||
* |
||||
* Redistribution and use in source and binary forms, with or |
||||
* without modification, are permitted provided that the following |
||||
* conditions are met: |
||||
* |
||||
* - Redistributions of source code must retain the above copyright |
||||
* notice, this list of conditions and the following disclaimer. |
||||
* |
||||
* - Redistributions in binary form must reproduce the above |
||||
* copyright notice, this list of conditions and the following |
||||
* disclaimer in the documentation and/or other materials provided |
||||
* with the distribution. |
||||
* |
||||
* - Neither the name of the Eclipse Foundation, Inc. nor the |
||||
* names of its contributors may be used to endorse or promote |
||||
* products derived from this software without specific prior |
||||
* written permission. |
||||
* |
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND |
||||
* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, |
||||
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR |
||||
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
||||
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF |
||||
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
*/ |
||||
|
||||
package org.eclipse.jgit.dircache; |
||||
|
||||
import java.text.MessageFormat; |
||||
|
||||
import org.eclipse.jgit.internal.JGitText; |
||||
|
||||
/** |
||||
* Thrown when JGit detects and refuses to use an invalid path |
||||
*/ |
||||
public class InvalidPathException extends IllegalArgumentException { |
||||
|
||||
private static final long serialVersionUID = 1L; |
||||
|
||||
/** |
||||
* @param path |
||||
*/ |
||||
public InvalidPathException(String path) { |
||||
super(MessageFormat.format(JGitText.get().invalidPath, path)); |
||||
} |
||||
} |
Loading…
Reference in new issue