From f4fc6404baac5a6a5db34f71e62fb62fd8f1b8ef Mon Sep 17 00:00:00 2001 From: David Pursehouse Date: Tue, 18 Dec 2018 19:53:26 +0900 Subject: [PATCH] BasePackConnection: Check for expected length of ref advertisement When a server sends a ref advertisement using protocol v2 it contains lines other than ref names and sha1s. Attempting to get the sha1 out of such a line using the substring method can result in a SIOOB error when it doesn't actually contain the sha1 and ref name. Add a check that the line is of the expected length, and subsequently that the extracted object id is valid, and if not throw an exception. Change-Id: Id92fe66ff8b6deb2cf987d81929f8d0602c399f4 Signed-off-by: David Pursehouse --- .../eclipse/jgit/internal/JGitText.properties | 1 + .../src/org/eclipse/jgit/internal/JGitText.java | 1 + .../jgit/transport/BasePackConnection.java | 16 +++++++++++++++- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties index 3f1d21289..b0c952cd4 100644 --- a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties +++ b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties @@ -390,6 +390,7 @@ invalidPathPeriodAtEndWindows=Invalid path (period at end is ignored by Windows) invalidPathSpaceAtEndWindows=Invalid path (space at end is ignored by Windows): {0} invalidPathReservedOnWindows=Invalid path (''{0}'' is reserved on Windows): {1} invalidRedirectLocation=Invalid redirect location {0} -> {1} +invalidRefAdvertisementLine=Invalid ref advertisement line: ''{1}'' invalidReflogRevision=Invalid reflog revision: {0} invalidRefName=Invalid ref name: {0} invalidReftableBlock=Invalid reftable block diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java index c11ae5a52..6e99ca739 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java @@ -451,6 +451,7 @@ public class JGitText extends TranslationBundle { /***/ public String invalidPathSpaceAtEndWindows; /***/ public String invalidPathReservedOnWindows; /***/ public String invalidRedirectLocation; + /***/ public String invalidRefAdvertisementLine; /***/ public String invalidReflogRevision; /***/ public String invalidRefName; /***/ public String invalidReftableBlock; diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackConnection.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackConnection.java index 38eae1cd4..fcf78ac7b 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackConnection.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackConnection.java @@ -57,6 +57,7 @@ import java.util.HashSet; import java.util.LinkedHashMap; import java.util.Set; +import org.eclipse.jgit.errors.InvalidObjectIdException; import org.eclipse.jgit.errors.NoRemoteRepositoryException; import org.eclipse.jgit.errors.PackProtocolException; import org.eclipse.jgit.errors.RemoteRepositoryException; @@ -222,6 +223,10 @@ abstract class BasePackConnection extends BaseConnection { } } + // Expecting to get a line in the form "sha1 refname" + if (line.length() < 41 || line.charAt(40) != ' ') { + throw invalidRefAdvertisementLine(line); + } String name = line.substring(41, line.length()); if (avail.isEmpty() && name.equals("capabilities^{}")) { //$NON-NLS-1$ // special line from git-receive-pack to show @@ -229,7 +234,12 @@ abstract class BasePackConnection extends BaseConnection { continue; } - final ObjectId id = ObjectId.fromString(line.substring(0, 40)); + final ObjectId id; + try { + id = ObjectId.fromString(line.substring(0, 40)); + } catch (InvalidObjectIdException e) { + throw invalidRefAdvertisementLine(line); + } if (name.equals(".have")) { //$NON-NLS-1$ additionalHaves.add(id); } else if (name.endsWith("^{}")) { //$NON-NLS-1$ @@ -318,6 +328,10 @@ abstract class BasePackConnection extends BaseConnection { return new PackProtocolException(uri, MessageFormat.format(JGitText.get().duplicateAdvertisementsOf, name)); } + private PackProtocolException invalidRefAdvertisementLine(String line) { + return new PackProtocolException(uri, MessageFormat.format(JGitText.get().invalidRefAdvertisementLine, line)); + } + /** {@inheritDoc} */ @Override public void close() {