diff options
| author | Máximo Cuadros <mcuadros@gmail.com> | 2018-06-06 10:08:40 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-06-06 10:08:40 +0200 |
| commit | d33d3efff3e5aa7ac1be2c97f4dd1ac2190f00e2 (patch) | |
| tree | d17ac93f9f75d81410389e255af854f7b2aae006 /config/modules.go | |
| parent | ae788cfabbc02c2f836f5d8c3cc18021a97e9a88 (diff) | |
| parent | d87faeca21e6f416e88ae3d24dae58845d7487d4 (diff) | |
| download | go-git-d33d3efff3e5aa7ac1be2c97f4dd1ac2190f00e2.tar.gz | |
Merge pull request #848 from josephvusich/fix/cve-2018-11235
config: modules, worktree: Submodule fixes for CVE-2018-11235
Diffstat (limited to 'config/modules.go')
| -rw-r--r-- | config/modules.go | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/config/modules.go b/config/modules.go index b208984..90758d9 100644 --- a/config/modules.go +++ b/config/modules.go @@ -3,6 +3,7 @@ package config import ( "bytes" "errors" + "regexp" format "gopkg.in/src-d/go-git.v4/plumbing/format/config" ) @@ -10,6 +11,12 @@ import ( var ( ErrModuleEmptyURL = errors.New("module config: empty URL") ErrModuleEmptyPath = errors.New("module config: empty path") + ErrModuleBadPath = errors.New("submodule has an invalid path") +) + +var ( + // Matches module paths with dotdot ".." components. + dotdotPath = regexp.MustCompile(`(^|[/\\])\.\.([/\\]|$)`) ) // Modules defines the submodules properties, represents a .gitmodules file @@ -44,14 +51,7 @@ func (m *Modules) Unmarshal(b []byte) error { return err } - s := m.raw.Section(submoduleSection) - for _, sub := range s.Subsections { - mod := &Submodule{} - mod.unmarshal(sub) - - m.Submodules[mod.Path] = mod - } - + unmarshalSubmodules(m.raw, m.Submodules) return nil } @@ -102,6 +102,10 @@ func (m *Submodule) Validate() error { return ErrModuleEmptyURL } + if dotdotPath.MatchString(m.Path) { + return ErrModuleBadPath + } + return nil } |