Browse Source

Add validation to hex decoder

Does not fix any issue but prevents user from shooting themselves in the
foot with improper configuration.

Suggested by Demetr Starshov at https://git.eclipse.org/r/#/c/157681/

Change-Id: I006d65022f0a7d4066970825d00080c59404fdc3
Signed-off-by: Michael Dardis <git@md-5.net>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
stable-5.8
Michael Dardis 5 years ago committed by Matthias Sohn
parent
commit
d7f304045a
  1. 25
      org.eclipse.jgit.test/tst/org/eclipse/jgit/util/HexTest.java
  2. 1
      org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties
  3. 1
      org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java
  4. 21
      org.eclipse.jgit/src/org/eclipse/jgit/util/Hex.java

25
org.eclipse.jgit.test/tst/org/eclipse/jgit/util/HexTest.java

@ -42,6 +42,31 @@ public class HexTest {
} }
} }
@Test(expected = IllegalArgumentException.class)
public void testIllegal() {
decode("0011test00");
}
@Test(expected = IllegalArgumentException.class)
public void testIllegal2() {
decode("0123456789abcdefgh");
}
@Test(expected = IllegalArgumentException.class)
public void testIllegal3() {
decode("0123456789abcdef-_+*");
}
@Test
public void testLegal() {
decode("0123456789abcdef");
}
@Test
public void testLegal2() {
decode("deadbeef");
}
private static byte[] b(String str) { private static byte[] b(String str) {
return Constants.encode(str); return Constants.encode(str);
} }

1
org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties

@ -354,6 +354,7 @@ invalidFilter=Invalid filter: {0}
invalidGitdirRef = Invalid .git reference in file ''{0}'' invalidGitdirRef = Invalid .git reference in file ''{0}''
invalidGitModules=Invalid .gitmodules file invalidGitModules=Invalid .gitmodules file
invalidGitType=invalid git type: {0} invalidGitType=invalid git type: {0}
invalidHexString=Invalid hex string: {0}
invalidHooksPath=Invalid git config core.hooksPath = {0} invalidHooksPath=Invalid git config core.hooksPath = {0}
invalidId=Invalid id: {0} invalidId=Invalid id: {0}
invalidId0=Invalid id invalidId0=Invalid id

1
org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java

@ -382,6 +382,7 @@ public class JGitText extends TranslationBundle {
/***/ public String invalidGitdirRef; /***/ public String invalidGitdirRef;
/***/ public String invalidGitModules; /***/ public String invalidGitModules;
/***/ public String invalidGitType; /***/ public String invalidGitType;
/***/ public String invalidHexString;
/***/ public String invalidHooksPath; /***/ public String invalidHooksPath;
/***/ public String invalidId; /***/ public String invalidId;
/***/ public String invalidId0; /***/ public String invalidId0;

21
org.eclipse.jgit/src/org/eclipse/jgit/util/Hex.java

@ -10,6 +10,10 @@
package org.eclipse.jgit.util; package org.eclipse.jgit.util;
import java.text.MessageFormat;
import org.eclipse.jgit.internal.JGitText;
/** /**
* Encodes and decodes to and from hexadecimal notation. * Encodes and decodes to and from hexadecimal notation.
* *
@ -27,9 +31,11 @@ public final class Hex {
/** /**
* Decode a hexadecimal string to a byte array. * Decode a hexadecimal string to a byte array.
* *
* Note this method performs no validation on input content. * Note this method validates that characters in the given string are valid
* as digits in a hex string.
* *
* @param s hexadecimal string * @param s
* hexadecimal string
* @return decoded array * @return decoded array
*/ */
public static byte[] decode(String s) { public static byte[] decode(String s) {
@ -37,7 +43,16 @@ public final class Hex {
byte[] b = new byte[len / 2]; byte[] b = new byte[len / 2];
for (int i = 0; i < len; i += 2) { for (int i = 0; i < len; i += 2) {
b[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) | Character.digit(s.charAt(i + 1), 16)); int left = Character.digit(s.charAt(i), 16);
int right = Character.digit(s.charAt(i + 1), 16);
if (left == -1 || right == -1) {
throw new IllegalArgumentException(MessageFormat.format(
JGitText.get().invalidHexString,
s));
}
b[i / 2] = (byte) (left << 4 | right);
} }
return b; return b;
} }

Loading…
Cancel
Save