From cfa4e13f09d07f679ffacdddfbe0ef44d1de32d9 Mon Sep 17 00:00:00 2001

From: Petr Stodulka <pstodulk@redhat.com>

Date: Wed, 28 Oct 2015 15:21:08 +0100

Subject: [PATCH 2/5] transport: add a protocol-whitelist environment variable

If we are cloning an untrusted remote repository into a

sandbox, we may also want to fetch remote submodules in

order to get the complete view as intended by the other

side. However, that opens us up to attacks where a malicious

user gets us to clone something they would not otherwise

have access to (this is not necessarily a problem by itself,

but we may then act on the cloned contents in a way that

exposes them to the attacker).

Ideally such a setup would sandbox git entirely away from

high-value items, but this is not always practical or easy

to set up (e.g., OS network controls may block multiple

protocols, and we would want to enable some but not others).

We can help this case by providing a way to restrict

particular protocols. We use a whitelist in the environment.

This is more annoying to set up than a blacklist, but

defaults to safety if the set of protocols git supports

grows). If no whitelist is specified, we continue to default

to allowing all protocols (this is an "unsafe" default, but

since the minority of users will want this sandboxing

effect, it is the only sensible one).

A note on the tests: ideally these would all be in a single

test file, but the git-daemon and httpd test infrastructure

is an all-or-nothing proposition rather than a test-by-test

prerequisite. By putting them all together, we would be

unable to test the file-local code on machines without

apache.

---

 Documentation/git.txt | 32 ++++++++++++++++++++++++++++++++

 connect.c             |  4 ++++

 transport-helper.c    |  2 ++

 transport.c           | 21 ++++++++++++++++++++-

 transport.h           |  7 +++++++

 5 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/Documentation/git.txt b/Documentation/git.txt

index 443d88f..179a0e8 100644

--- a/Documentation/git.txt

+++ b/Documentation/git.txt

@@ -847,6 +847,38 @@ GIT_LITERAL_PATHSPECS::

 	literal paths to Git (e.g., paths previously given to you by

 	`git ls-tree`, `--raw` diff output, etc).

+`GIT_ALLOW_PROTOCOL`::

+   If set, provide a colon-separated list of protocols which are

+   allowed to be used with fetch/push/clone. This is useful to

+   restrict recursive submodule initialization from an untrusted

+   repository. Any protocol not mentioned will be disallowed (i.e.,

+   this is a whitelist, not a blacklist). If the variable is not

+   set at all, all protocols are enabled.  The protocol names

+   currently used by git are:

+

+     - `file`: any local file-based path (including `file://` URLs,

+       or local paths)

+

+     - `git`: the anonymous git protocol over a direct TCP

+       connection (or proxy, if configured)

+

+     - `ssh`: git over ssh (including `host:path` syntax,

+       `git+ssh://`, etc).

+

+     - `rsync`: git over rsync

+

+     - `http`: git over http, both "smart http" and "dumb http".

+       Note that this does _not_ include `https`; if you want both,

+       you should specify both as `http:https`.

+

+     - any external helpers are named by their protocol (e.g., use

+       `hg` to allow the `git-remote-hg` helper)

++

+Note that this controls only git's internal protocol selection.

+If libcurl is used (e.g., by the `http` transport), it may

+redirect to other protocols. There is not currently any way to

+restrict this.

+

 Discussion[[Discussion]]

 ------------------------

diff --git a/connect.c b/connect.c

index f57efd0..6d4ea13 100644

--- a/connect.c

+++ b/connect.c

@@ -6,6 +6,7 @@

 #include "run-command.h"

 #include "remote.h"

 #include "url.h"

+#include "transport.h"

 static char *server_capabilities;

@@ -587,6 +588,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig,

 		 * cannot connect.

 		 */

 		char *target_host = xstrdup(host);

+		transport_check_allowed("git");

 		if (git_use_proxy(host))

 			conn = git_proxy_connect(fd, host);

 		else

@@ -623,6 +625,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig,

 	if (protocol == PROTO_SSH) {

 		const char *ssh = getenv("GIT_SSH");

 		int putty = ssh && strcasestr(ssh, "plink");

+		transport_check_allowed("ssh");

 		if (!ssh) ssh = "ssh";

 		*arg++ = ssh;

@@ -639,6 +642,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig,

 		/* remove repo-local variables from the environment */

 		conn->env = local_repo_env;

 		conn->use_shell = 1;

+		transport_check_allowed("file");

 	}

 	*arg++ = cmd.buf;

 	*arg = NULL;

diff --git a/transport-helper.c b/transport-helper.c

index 522d791..be8402a 100644

--- a/transport-helper.c

+++ b/transport-helper.c

@@ -932,6 +932,8 @@ int transport_helper_init(struct transport *transport, const char *name)

 	struct helper_data *data = xcalloc(sizeof(*data), 1);

 	data->name = name;

+	transport_check_allowed(name);

+

 	if (getenv("GIT_TRANSPORT_HELPER_DEBUG"))

 		debug = 1;

diff --git a/transport.c b/transport.c

index ba5d8af..733717d 100644

--- a/transport.c

+++ b/transport.c

@@ -894,6 +894,20 @@ static int external_specification_len(const char *url)

 	return strchr(url, ':') - url;

 }

+void transport_check_allowed(const char *type)

+{

+	struct string_list allowed = STRING_LIST_INIT_DUP;

+	const char *v = getenv("GIT_ALLOW_PROTOCOL");

+

+	if (!v)

+		return;

+

+	string_list_split(&allowed, v, ':', -1);

+	if (!unsorted_string_list_has_string(&allowed, type))

+		die("transport '%s' not allowed", type);

+	string_list_clear(&allowed, 0);

+}

+

 struct transport *transport_get(struct remote *remote, const char *url)

 {

 	const char *helper;

@@ -925,12 +939,14 @@ struct transport *transport_get(struct remote *remote, const char *url)

 	if (helper) {

 		transport_helper_init(ret, helper);

 	} else if (!prefixcmp(url, "rsync:")) {

+		transport_check_allowed("rsync");

 		ret->get_refs_list = get_refs_via_rsync;

 		ret->fetch = fetch_objs_via_rsync;

 		ret->push = rsync_transport_push;

 		ret->smart_options = NULL;

 	} else if (is_local(url) && is_file(url) && is_bundle(url, 1)) {

 		struct bundle_transport_data *data = xcalloc(1, sizeof(*data));

+		transport_check_allowed("file");

 		ret->data = data;

 		ret->get_refs_list = get_refs_from_bundle;

 		ret->fetch = fetch_refs_from_bundle;

@@ -942,7 +958,10 @@ struct transport *transport_get(struct remote *remote, const char *url)

 		|| !prefixcmp(url, "ssh://")

 		|| !prefixcmp(url, "git+ssh://")

 		|| !prefixcmp(url, "ssh+git://")) {

-		/* These are builtin smart transports. */

+		/*

+		 * These are builtin smart transports; "allowed" transports

+		 * will be checked individually in git_connect.

+		 */

 		struct git_transport_data *data = xcalloc(1, sizeof(*data));

 		ret->data = data;

 		ret->set_option = NULL;

diff --git a/transport.h b/transport.h

index fcb1d25..2beda7d 100644

--- a/transport.h

+++ b/transport.h

@@ -113,6 +113,13 @@ struct transport {

 /* Returns a transport suitable for the url */

 struct transport *transport_get(struct remote *, const char *);

+/*

+ * Check whether a transport is allowed by the environment,

+ * and die otherwise. type should generally be the URL scheme,

+ * as described in Documentation/git.txt

+ */

+void transport_check_allowed(const char *type);

+

 /* Transport options which apply to git:// and scp-style URLs */

 /* The program to use on the remote side to send a pack */

-- 

2.1.0