From 837a69dc6ff77d8c93e73a64c067fe60530e4f1b Mon Sep 17 00:00:00 2001

From: Mateusz Kwapich <mitrandir@fb.com>

Date: Sun, 20 Mar 2016 21:52:21 -0700

Subject: [PATCH 1/6] subrepo: set GIT_ALLOW_PROTOCOL to limit git clone

 protocols (SEC)

CVE-2016-3068 (1/1)

Git's git-remote-ext remote helper provides an ext:: URL scheme that

allows running arbitrary shell commands. This feature allows

implementing simple git smart transports with a single shell shell

command. However, git submodules could clone arbitrary URLs specified

in the .gitmodules file. This was reported as CVE-2015-7545 and fixed

in git v2.6.1.

However, if a user directly clones a malicious ext URL, the git client

will still run arbitrary shell commands.

Mercurial is similarly effected. Mercurial allows specifying git

repositories as subrepositories. Git ext:: URLs can be specified as

Mercurial subrepositories allowing arbitrary shell commands to be run

on `hg clone ...`.

The Mercurial community would like to thank Blake Burkhart for

reporting this issue. The description of the issue is copied from

Blake's report.

This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env

variable to git commands  with the same list of allowed protocols that

git submodule is using.

When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it

to git without modifications.

---

 mercurial/subrepo.py     |  5 +++++

 tests/test-subrepo-git.t | 34 ++++++++++++++++++++++++++++++++++

 2 files changed, 39 insertions(+)

diff --git a/mercurial/subrepo.py b/mercurial/subrepo.py

index 3747377..7286f06 100644

--- a/mercurial/subrepo.py

+++ b/mercurial/subrepo.py

@@ -1060,6 +1060,11 @@ class gitsubrepo(abstractsubrepo):

         are not supported and very probably fail.

         """

         self._ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))

+        if env is None:

+            env = os.environ.copy()

+        # fix for Git CVE-2015-7545

+        if 'GIT_ALLOW_PROTOCOL' not in env:

+            env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'

         # unless ui.quiet is set, print git's stderr,

         # which is mostly progress and useful info

         errpipe = None

diff --git a/tests/test-subrepo-git.t b/tests/test-subrepo-git.t

index 9361193..24cb6a2 100644

--- a/tests/test-subrepo-git.t

+++ b/tests/test-subrepo-git.t

@@ -558,3 +558,37 @@ traceback

 #endif

   $ cd ..

+

+test for Git CVE-2016-3068

+  $ hg init malicious-subrepository

+  $ cd malicious-subrepository

+  $ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub

+  $ git init s

+  Initialized empty Git repository in $TESTTMP/tc/malicious-subrepository/s/.git/

+  $ cd s

+  $ git commit --allow-empty -m 'empty'

+  [master (root-commit) 153f934] empty

+  $ cd ..

+  $ hg add .hgsub

+  $ hg commit -m "add subrepo"

+  $ cd ..

+  $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected

+  Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'...

+  fatal: transport 'ext' not allowed

+  updating to branch default

+  cloning subrepo s from ext::sh -c echo% pwned% >&2

+  abort: git clone error 128 in s (in subrepo s)

+  [255]

+

+whitelisting of ext should be respected (that's the git submodule behaviour)

+  $ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed

+  Cloning into '$TESTTMP/tc/malicious-subrepository-clone-allowed/s'...

+  pwned

+  fatal: Could not read from remote repository.

+  

+  Please make sure you have the correct access rights

+  and the repository exists.

+  updating to branch default

+  cloning subrepo s from ext::sh -c echo% pwned% >&2

+  abort: git clone error 128 in s (in subrepo s)

+  [255]

-- 

2.4.11