File: cve-2019-13139-01-gitutils-add-validation-for-ref.patch

package info (click to toggle)
docker.io 18.09.1%2Bdfsg1-7.1%2Bdeb10u3
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 66,144 kB
  • sloc: sh: 9,753; makefile: 827; ansic: 239; python: 162; asm: 10
file content (86 lines) | stat: -rw-r--r-- 2,918 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Wed, 6 Feb 2019 11:58:40 -0800
Subject: [PATCH] gitutils: add validation for ref

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Origin: upstream, https://github.com/moby/moby/pull/38944
---
 builder/remotecontext/git/gitutils.go      |  7 ++++++-
 builder/remotecontext/git/gitutils_test.go | 21 ++++++++++++++++++---
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/engine/builder/remotecontext/git/gitutils.go b/engine/builder/remotecontext/git/gitutils.go
index 77a45beff31c..6213963db2e1 100644
--- a/engine/builder/remotecontext/git/gitutils.go
+++ b/engine/builder/remotecontext/git/gitutils.go
@@ -102,6 +102,11 @@ func parseRemoteURL(remoteURL string) (gitRepo, error) {
 		u.Fragment = ""
 		repo.remote = u.String()
 	}
+
+	if strings.HasPrefix(repo.ref, "-") {
+		return gitRepo{}, errors.Errorf("invalid refspec: %s", repo.ref)
+	}
+
 	return repo, nil
 }
 
@@ -124,7 +129,7 @@ func fetchArgs(remoteURL string, ref string) []string {
 		args = append(args, "--depth", "1")
 	}
 
-	return append(args, "origin", ref)
+	return append(args, "origin", "--", ref)
 }
 
 // Check if a given git URL supports a shallow git clone,
diff --git a/engine/builder/remotecontext/git/gitutils_test.go b/engine/builder/remotecontext/git/gitutils_test.go
index 8c39679081f1..34dd495b5ca3 100644
--- a/engine/builder/remotecontext/git/gitutils_test.go
+++ b/engine/builder/remotecontext/git/gitutils_test.go
@@ -59,7 +59,7 @@ func TestCloneArgsSmartHttp(t *testing.T) {
 	})
 
 	args := fetchArgs(serverURL.String(), "master")
-	exp := []string{"fetch", "--depth", "1", "origin", "master"}
+	exp := []string{"fetch", "--depth", "1", "origin", "--", "master"}
 	assert.Check(t, is.DeepEqual(exp, args))
 }
 
@@ -75,13 +75,13 @@ func TestCloneArgsDumbHttp(t *testing.T) {
 	})
 
 	args := fetchArgs(serverURL.String(), "master")
-	exp := []string{"fetch", "origin", "master"}
+	exp := []string{"fetch", "origin", "--", "master"}
 	assert.Check(t, is.DeepEqual(exp, args))
 }
 
 func TestCloneArgsGit(t *testing.T) {
 	args := fetchArgs("git://github.com/docker/docker", "master")
-	exp := []string{"fetch", "--depth", "1", "origin", "master"}
+	exp := []string{"fetch", "--depth", "1", "origin", "--", "master"}
 	assert.Check(t, is.DeepEqual(exp, args))
 }
 
@@ -276,3 +276,18 @@ func TestValidGitTransport(t *testing.T) {
 		}
 	}
 }
+
+func TestGitInvalidRef(t *testing.T) {
+	gitUrls := []string{
+		"git://github.com/moby/moby#--foo bar",
+		"git@github.com/moby/moby#--upload-pack=sleep;:",
+		"git@g.com:a/b.git#-B",
+		"git@g.com:a/b.git#with space",
+	}
+
+	for _, url := range gitUrls {
+		_, err := Clone(url)
+		assert.Assert(t, err != nil)
+		assert.Check(t, is.Contains(strings.ToLower(err.Error()), "invalid refspec"))
+	}
+}