diff options
| author | Patrick Steinhardt <ps@pks.im> | 2022-12-01 17:46:09 +0300 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2022-12-09 11:07:04 +0300 |
| commit | 27ab4784d5c9e24345b9f5b443609cbe527c51f9 (patch) | |
| tree | a79a1b51547323fdcf5378096560f2c45960f023 /fsck.c | |
| parent | f8587c31c96172aac547f83977c98fa8f0e2aa67 (diff) | |
fsck: implement checks for gitattributes
Recently, a vulnerability was reported that can lead to an out-of-bounds
write when reading an unreasonably large gitattributes file. The root
cause of this error are multiple integer overflows in different parts of
the code when there are either too many lines, when paths are too long,
when attribute names are too long, or when there are too many attributes
declared for a pattern.
As all of these are related to size, it seems reasonable to restrict the
size of the gitattributes file via git-fsck(1). This allows us to both
stop distributing known-vulnerable objects via common hosting platforms
that have fsck enabled, and users to protect themselves by enabling the
`fetch.fsckObjects` config.
There are basically two checks:
1. We verify that size of the gitattributes file is smaller than
100MB.
2. We verify that the maximum line length does not exceed 2048
bytes.
With the preceding commits, both of these conditions would cause us to
either ignore the complete gitattributes file or blob in the first case,
or the specific line in the second case. Now with these consistency
checks added, we also grow the ability to stop distributing such files
in the first place when `receive.fsckObjects` is enabled.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'fsck.c')
| -rw-r--r-- | fsck.c | 38 |
1 files changed, 37 insertions, 1 deletions
@@ -2,6 +2,7 @@ #include "object-store.h" #include "repository.h" #include "object.h" +#include "attr.h" #include "blob.h" #include "tree.h" #include "tree-walk.h" @@ -615,7 +616,10 @@ static int fsck_tree(const struct object_id *tree_oid, } if (is_hfs_dotgitattributes(name) || is_ntfs_dotgitattributes(name)) { - if (S_ISLNK(mode)) + if (!S_ISLNK(mode)) + oidset_insert(&options->gitattributes_found, + entry_oid); + else retval += report(options, tree_oid, OBJ_TREE, FSCK_MSG_GITATTRIBUTES_SYMLINK, ".gitattributes is a symlink"); @@ -1206,6 +1210,35 @@ static int fsck_blob(const struct object_id *oid, const char *buf, ret |= data.ret; } + if (oidset_contains(&options->gitattributes_found, oid)) { + const char *ptr; + + oidset_insert(&options->gitattributes_done, oid); + + if (!buf || size > ATTR_MAX_FILE_SIZE) { + /* + * A missing buffer here is a sign that the caller found the + * blob too gigantic to load into memory. Let's just consider + * that an error. + */ + return report(options, oid, OBJ_BLOB, + FSCK_MSG_GITATTRIBUTES_LARGE, + ".gitattributes too large to parse"); + } + + for (ptr = buf; *ptr; ) { + const char *eol = strchrnul(ptr, '\n'); + if (eol - ptr >= ATTR_MAX_LINE_LENGTH) { + ret |= report(options, oid, OBJ_BLOB, + FSCK_MSG_GITATTRIBUTES_LINE_LENGTH, + ".gitattributes has too long lines to parse"); + break; + } + + ptr = *eol ? eol + 1 : eol; + } + } + return ret; } @@ -1293,6 +1326,9 @@ int fsck_finish(struct fsck_options *options) ret |= fsck_blobs(&options->gitmodules_found, &options->gitmodules_done, FSCK_MSG_GITMODULES_MISSING, FSCK_MSG_GITMODULES_BLOB, options, ".gitmodules"); + ret |= fsck_blobs(&options->gitattributes_found, &options->gitattributes_done, + FSCK_MSG_GITATTRIBUTES_MISSING, FSCK_MSG_GITATTRIBUTES_BLOB, + options, ".gitattributes"); return ret; } |