mirror of
https://github.com/git/git.git
synced 2024-11-27 20:14:30 +08:00
a5adaced2e
If we are cloning an untrusted remote repository into a sandbox, we may also want to fetch remote submodules in order to get the complete view as intended by the other side. However, that opens us up to attacks where a malicious user gets us to clone something they would not otherwise have access to (this is not necessarily a problem by itself, but we may then act on the cloned contents in a way that exposes them to the attacker). Ideally such a setup would sandbox git entirely away from high-value items, but this is not always practical or easy to set up (e.g., OS network controls may block multiple protocols, and we would want to enable some but not others). We can help this case by providing a way to restrict particular protocols. We use a whitelist in the environment. This is more annoying to set up than a blacklist, but defaults to safety if the set of protocols git supports grows). If no whitelist is specified, we continue to default to allowing all protocols (this is an "unsafe" default, but since the minority of users will want this sandboxing effect, it is the only sensible one). A note on the tests: ideally these would all be in a single test file, but the git-daemon and httpd test infrastructure is an all-or-nothing proposition rather than a test-by-test prerequisite. By putting them all together, we would be unable to test the file-local code on machines without apache. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
97 lines
2.0 KiB
Bash
97 lines
2.0 KiB
Bash
# Test routines for checking protocol disabling.
|
|
|
|
# test cloning a particular protocol
|
|
# $1 - description of the protocol
|
|
# $2 - machine-readable name of the protocol
|
|
# $3 - the URL to try cloning
|
|
test_proto () {
|
|
desc=$1
|
|
proto=$2
|
|
url=$3
|
|
|
|
test_expect_success "clone $1 (enabled)" '
|
|
rm -rf tmp.git &&
|
|
(
|
|
GIT_ALLOW_PROTOCOL=$proto &&
|
|
export GIT_ALLOW_PROTOCOL &&
|
|
git clone --bare "$url" tmp.git
|
|
)
|
|
'
|
|
|
|
test_expect_success "fetch $1 (enabled)" '
|
|
(
|
|
cd tmp.git &&
|
|
GIT_ALLOW_PROTOCOL=$proto &&
|
|
export GIT_ALLOW_PROTOCOL &&
|
|
git fetch
|
|
)
|
|
'
|
|
|
|
test_expect_success "push $1 (enabled)" '
|
|
(
|
|
cd tmp.git &&
|
|
GIT_ALLOW_PROTOCOL=$proto &&
|
|
export GIT_ALLOW_PROTOCOL &&
|
|
git push origin HEAD:pushed
|
|
)
|
|
'
|
|
|
|
test_expect_success "push $1 (disabled)" '
|
|
(
|
|
cd tmp.git &&
|
|
GIT_ALLOW_PROTOCOL=none &&
|
|
export GIT_ALLOW_PROTOCOL &&
|
|
test_must_fail git push origin HEAD:pushed
|
|
)
|
|
'
|
|
|
|
test_expect_success "fetch $1 (disabled)" '
|
|
(
|
|
cd tmp.git &&
|
|
GIT_ALLOW_PROTOCOL=none &&
|
|
export GIT_ALLOW_PROTOCOL &&
|
|
test_must_fail git fetch
|
|
)
|
|
'
|
|
|
|
test_expect_success "clone $1 (disabled)" '
|
|
rm -rf tmp.git &&
|
|
(
|
|
GIT_ALLOW_PROTOCOL=none &&
|
|
export GIT_ALLOW_PROTOCOL &&
|
|
test_must_fail git clone --bare "$url" tmp.git
|
|
)
|
|
'
|
|
}
|
|
|
|
# set up an ssh wrapper that will access $host/$repo in the
|
|
# trash directory, and enable it for subsequent tests.
|
|
setup_ssh_wrapper () {
|
|
test_expect_success 'setup ssh wrapper' '
|
|
write_script ssh-wrapper <<-\EOF &&
|
|
echo >&2 "ssh: $*"
|
|
host=$1; shift
|
|
cd "$TRASH_DIRECTORY/$host" &&
|
|
eval "$*"
|
|
EOF
|
|
GIT_SSH="$PWD/ssh-wrapper" &&
|
|
export GIT_SSH &&
|
|
export TRASH_DIRECTORY
|
|
'
|
|
}
|
|
|
|
# set up a wrapper that can be used with remote-ext to
|
|
# access repositories in the "remote" directory of trash-dir,
|
|
# like "ext::fake-remote %S repo.git"
|
|
setup_ext_wrapper () {
|
|
test_expect_success 'setup ext wrapper' '
|
|
write_script fake-remote <<-\EOF &&
|
|
echo >&2 "fake-remote: $*"
|
|
cd "$TRASH_DIRECTORY/remote" &&
|
|
eval "$*"
|
|
EOF
|
|
PATH=$TRASH_DIRECTORY:$PATH &&
|
|
export TRASH_DIRECTORY
|
|
'
|
|
}
|