t/t5619-clone-local-ambiguous-transport.sh

   1 #!/bin/sh
   2
   3 test_description='test local clone with ambiguous transport'
   4
   5 TEST_PASSES_SANITIZE_LEAK=true
   6 . ./test-lib.sh
   7 . "$TEST_DIRECTORY/lib-httpd.sh"
   8
   9 if ! test_have_prereq SYMLINKS
  10 then
  11         skip_all='skipping test, symlink support unavailable'
  12         test_done
  13 fi
  14
  15 start_httpd
  16
  17 REPO="$HTTPD_DOCUMENT_ROOT_PATH/sub.git"
  18 URI="$HTTPD_URL/dumb/sub.git"
  19
  20 test_expect_success 'setup' '
  21         mkdir -p sensitive &&
  22         echo "secret" >sensitive/secret &&
  23
  24         git init --bare "$REPO" &&
  25         test_commit_bulk -C "$REPO" --ref=main 1 &&
  26
  27         git -C "$REPO" update-ref HEAD main &&
  28         git -C "$REPO" update-server-info &&
  29
  30         git init malicious &&
  31         (
  32                 cd malicious &&
  33
  34                 git submodule add "$URI" &&
  35
  36                 mkdir -p repo/refs &&
  37                 touch repo/refs/.gitkeep &&
  38                 printf "ref: refs/heads/a" >repo/HEAD &&
  39                 ln -s "$(cd .. && pwd)/sensitive" repo/objects &&
  40
  41                 mkdir -p "$HTTPD_URL/dumb" &&
  42                 ln -s "../../../.git/modules/sub/../../../repo/" "$URI" &&
  43
  44                 git add . &&
  45                 git commit -m "initial commit"
  46         ) &&
  47
  48         # Delete all of the references in our malicious submodule to
  49         # avoid the client attempting to checkout any objects (which
  50         # will be missing, and thus will cause the clone to fail before
  51         # we can trigger the exploit).
  52         git -C "$REPO" for-each-ref --format="delete %(refname)" >in &&
  53         git -C "$REPO" update-ref --stdin <in &&
  54         git -C "$REPO" update-server-info
  55 '
  56
  57 test_expect_success 'ambiguous transport does not lead to arbitrary file-inclusion' '
  58         git clone malicious clone &&
  59         test_must_fail git -C clone submodule update --init 2>err &&
  60
  61         test_path_is_missing clone/.git/modules/sub/objects/secret &&
  62         # We would actually expect "transport .file. not allowed" here,
  63         # but due to quirks of the URL detection in Git, we mis-parse
  64         # the absolute path as a bogus URL and die before that step.
  65         #
  66         # This works for now, and if we ever fix the URL detection, it
  67         # is OK to change this to detect the transport error.
  68         grep "protocol .* is not supported" err
  69 '
  70
  71 test_done