aboutsummaryrefslogtreecommitdiffstats
path: root/config/modules.go
diff options
context:
space:
mode:
authorJoseph Vusich <jvusich@amazon.com>2018-05-30 02:42:46 +0000
committerJoseph Vusich <jvusich@amazon.com>2018-05-30 17:42:09 +0000
commit79b7f24160029966238b04dd41f69add0741a1d2 (patch)
treeba6f5db1fc1ebbe478e46b166ef65531842795ee /config/modules.go
parent57570e84f8c5739f0f4a59387493e590e709dde9 (diff)
downloadgo-git-79b7f24160029966238b04dd41f69add0741a1d2.tar.gz
config: modules, Ignore submodules with dotdot '..' path components. Fixes CVE-2018-11235
References: * https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/ * https://security-tracker.debian.org/tracker/CVE-2018-11235 * https://github.com/git/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44 Signed-off-by: Joseph Vusich <jvusich@amazon.com>
Diffstat (limited to 'config/modules.go')
-rw-r--r--config/modules.go20
1 files changed, 12 insertions, 8 deletions
diff --git a/config/modules.go b/config/modules.go
index b208984..90758d9 100644
--- a/config/modules.go
+++ b/config/modules.go
@@ -3,6 +3,7 @@ package config
import (
"bytes"
"errors"
+ "regexp"
format "gopkg.in/src-d/go-git.v4/plumbing/format/config"
)
@@ -10,6 +11,12 @@ import (
var (
ErrModuleEmptyURL = errors.New("module config: empty URL")
ErrModuleEmptyPath = errors.New("module config: empty path")
+ ErrModuleBadPath = errors.New("submodule has an invalid path")
+)
+
+var (
+ // Matches module paths with dotdot ".." components.
+ dotdotPath = regexp.MustCompile(`(^|[/\\])\.\.([/\\]|$)`)
)
// Modules defines the submodules properties, represents a .gitmodules file
@@ -44,14 +51,7 @@ func (m *Modules) Unmarshal(b []byte) error {
return err
}
- s := m.raw.Section(submoduleSection)
- for _, sub := range s.Subsections {
- mod := &Submodule{}
- mod.unmarshal(sub)
-
- m.Submodules[mod.Path] = mod
- }
-
+ unmarshalSubmodules(m.raw, m.Submodules)
return nil
}
@@ -102,6 +102,10 @@ func (m *Submodule) Validate() error {
return ErrModuleEmptyURL
}
+ if dotdotPath.MatchString(m.Path) {
+ return ErrModuleBadPath
+ }
+
return nil
}
generated by cgit (git 2.34.1) at 2024-11-10 21:50:41 +0000