diff options
author | Joseph Vusich <jvusich@amazon.com> | 2018-05-30 02:42:46 +0000 |
---|---|---|
committer | Joseph Vusich <jvusich@amazon.com> | 2018-05-30 17:42:09 +0000 |
commit | 79b7f24160029966238b04dd41f69add0741a1d2 (patch) | |
tree | ba6f5db1fc1ebbe478e46b166ef65531842795ee /config/modules_test.go | |
parent | 57570e84f8c5739f0f4a59387493e590e709dde9 (diff) | |
download | go-git-79b7f24160029966238b04dd41f69add0741a1d2.tar.gz |
config: modules, Ignore submodules with dotdot '..' path components. Fixes CVE-2018-11235
References:
* https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/
* https://security-tracker.debian.org/tracker/CVE-2018-11235
* https://github.com/git/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44
Signed-off-by: Joseph Vusich <jvusich@amazon.com>
Diffstat (limited to 'config/modules_test.go')
-rw-r--r-- | config/modules_test.go | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/config/modules_test.go b/config/modules_test.go index 36cd93f..8e10d70 100644 --- a/config/modules_test.go +++ b/config/modules_test.go @@ -11,6 +11,29 @@ func (s *ModulesSuite) TestValidateMissingURL(c *C) { c.Assert(m.Validate(), Equals, ErrModuleEmptyURL) } +func (s *ModulesSuite) TestValidateBadPath(c *C) { + input := []string{ + `..`, + `../`, + `../bar`, + + `/..`, + `/../bar`, + + `foo/..`, + `foo/../`, + `foo/../bar`, + } + + for _, p := range input { + m := &Submodule{ + Path: p, + URL: "https://example.com/", + } + c.Assert(m.Validate(), Equals, ErrModuleBadPath) + } +} + func (s *ModulesSuite) TestValidateMissingName(c *C) { m := &Submodule{URL: "bar"} c.Assert(m.Validate(), Equals, ErrModuleEmptyPath) @@ -39,6 +62,9 @@ func (s *ModulesSuite) TestUnmarshall(c *C) { path = foo/bar url = https://github.com/foo/bar.git branch = dev +[submodule "suspicious"] + path = ../../foo/bar + url = https://github.com/foo/bar.git `) cfg := NewModules() |