Revision - 820d765 - connect: reject ssh hostname that begins with a dash

Revision 820d7650cc670d3e4195aad3a5343158c316e8fa authored by Junio C Hamano on 26 July 2017, 17:24:20 UTC, committed by Junio C Hamano on 28 July 2017, 22:51:14 UTC

connect: reject ssh hostname that begins with a dash

When commands like "git fetch" talk with ssh://$rest_of_URL/, the
code splits $rest_of_URL into components like host, port, etc., and
then spawns the underlying "ssh" program by formulating argv[] array
that has:

 - the path to ssh command taken from GIT_SSH_COMMAND, etc.

 - dashed options like '-batch' (for Tortoise), '-p <port>' as
   needed.

 - ssh_host, which is supposed to be the hostname parsed out of
   $rest_of_URL.

 - then the command to be run on the other side, e.g. git
   upload-pack.

If the ssh_host ends up getting '-<anything>', the argv[] that is
used to spawn the command becomes something like:

    { "ssh", "-p", "22", "-<anything>", "command", "to", "run", NULL }

which obviously is bogus, but depending on the actual value of
"<anything>", will make "ssh" parse and use it as an option.

Prevent this by forbidding ssh_host that begins with a "-".

Noticed-by: Joern Schneeweisz of Recurity Labs
Reported-by: Brian at GitLab
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Reviewed-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

1 parent c8dd1e3

Files
Changes

Permalinks

t5407-post-rewrite-hook.sh

#!/bin/sh
#
# Copyright (c) 2010 Thomas Rast
#

test_description='Test the post-rewrite hook.'
. ./test-lib.sh

test_expect_success 'setup' '
	test_commit A foo A &&
	test_commit B foo B &&
	test_commit C foo C &&
	test_commit D foo D &&
	git checkout A^0 &&
	test_commit E bar E &&
	test_commit F foo F &&
	git checkout master
'

mkdir .git/hooks

cat >.git/hooks/post-rewrite <<EOF
#!/bin/sh
echo \$@ > "$TRASH_DIRECTORY"/post-rewrite.args
cat > "$TRASH_DIRECTORY"/post-rewrite.data
EOF
chmod u+x .git/hooks/post-rewrite

clear_hook_input () {
	rm -f post-rewrite.args post-rewrite.data
}

verify_hook_input () {
	test_cmp expected.args "$TRASH_DIRECTORY"/post-rewrite.args &&
	test_cmp expected.data "$TRASH_DIRECTORY"/post-rewrite.data
}

test_expect_success 'git commit --amend' '
	clear_hook_input &&
	echo "D new message" > newmsg &&
	oldsha=$(git rev-parse HEAD^0) &&
	git commit -Fnewmsg --amend &&
	echo amend > expected.args &&
	echo $oldsha $(git rev-parse HEAD^0) > expected.data &&
	verify_hook_input
'

test_expect_success 'git commit --amend --no-post-rewrite' '
	clear_hook_input &&
	echo "D new message again" > newmsg &&
	git commit --no-post-rewrite -Fnewmsg --amend &&
	test ! -f post-rewrite.args &&
	test ! -f post-rewrite.data
'

test_expect_success 'git rebase' '
	git reset --hard D &&
	clear_hook_input &&
	test_must_fail git rebase --onto A B &&
	echo C > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse C) $(git rev-parse HEAD^)
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase --skip' '
	git reset --hard D &&
	clear_hook_input &&
	test_must_fail git rebase --onto A B &&
	test_must_fail git rebase --skip &&
	echo D > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase --skip the last one' '
	git reset --hard F &&
	clear_hook_input &&
	test_must_fail git rebase --onto D A &&
	git rebase --skip &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse E) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase -m' '
	git reset --hard D &&
	clear_hook_input &&
	test_must_fail git rebase -m --onto A B &&
	echo C > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse C) $(git rev-parse HEAD^)
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase -m --skip' '
	git reset --hard D &&
	clear_hook_input &&
	test_must_fail git rebase --onto A B &&
	test_must_fail git rebase --skip &&
	echo D > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

. "$TEST_DIRECTORY"/lib-rebase.sh

set_fake_editor

# Helper to work around the lack of one-shot exporting for
# test_must_fail (as it is a shell function)
test_fail_interactive_rebase () {
	(
		FAKE_LINES="$1" &&
		shift &&
		export FAKE_LINES &&
		test_must_fail git rebase -i "$@"
	)
}

test_expect_success 'git rebase -i (unchanged)' '
	git reset --hard D &&
	clear_hook_input &&
	test_fail_interactive_rebase "1 2" --onto A B &&
	echo C > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse C) $(git rev-parse HEAD^)
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase -i (skip)' '
	git reset --hard D &&
	clear_hook_input &&
	test_fail_interactive_rebase "2" --onto A B &&
	echo D > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase -i (squash)' '
	git reset --hard D &&
	clear_hook_input &&
	test_fail_interactive_rebase "1 squash 2" --onto A B &&
	echo C > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse C) $(git rev-parse HEAD)
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase -i (fixup without conflict)' '
	git reset --hard D &&
	clear_hook_input &&
	FAKE_LINES="1 fixup 2" git rebase -i B &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse C) $(git rev-parse HEAD)
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase -i (double edit)' '
	git reset --hard D &&
	clear_hook_input &&
	FAKE_LINES="edit 1 edit 2" git rebase -i B &&
	git rebase --continue &&
	echo something > foo &&
	git add foo &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse C) $(git rev-parse HEAD^)
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_expect_success 'git rebase -i (exec)' '
	git reset --hard D &&
	clear_hook_input &&
	FAKE_LINES="edit 1 exec_false 2" git rebase -i B &&
	echo something >bar &&
	git add bar &&
	# Fails because of exec false
	test_must_fail git rebase --continue &&
	git rebase --continue &&
	echo rebase >expected.args &&
	cat >expected.data <<-EOF &&
	$(git rev-parse C) $(git rev-parse HEAD^)
	$(git rev-parse D) $(git rev-parse HEAD)
	EOF
	verify_hook_input
'

test_done

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...