[PATCH] gitutils: add validation for ref

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Origin: upstream, https://github.com/moby/moby/pull/38944

Gbp-Pq: Name cve-2019-13139-01-gitutils-add-validation-for-ref.patch

diff --git a/engine/builder/remotecontext/git/gitutils.go b/engine/builder/remotecontext/git/gitutils.go
index 77a45beff31ccf1555d59091d7ec903f3abc474a..6213963db2e117277f819a5483d0289cca0e531f 100644 (file)
--- a/engine/builder/remotecontext/git/gitutils.go
+++ b/engine/builder/remotecontext/git/gitutils.go
@@ -102,6 +102,11 @@ func parseRemoteURL(remoteURL string) (gitRepo, error) {
                u.Fragment = ""
                repo.remote = u.String()
        }
+
+       if strings.HasPrefix(repo.ref, "-") {
+               return gitRepo{}, errors.Errorf("invalid refspec: %s", repo.ref)
+       }
+
        return repo, nil
 }
 
@@ -124,7 +129,7 @@ func fetchArgs(remoteURL string, ref string) []string {
                args = append(args, "--depth", "1")
        }
 
-       return append(args, "origin", ref)
+       return append(args, "origin", "--", ref)
 }
 
 // Check if a given git URL supports a shallow git clone,

diff --git a/engine/builder/remotecontext/git/gitutils_test.go b/engine/builder/remotecontext/git/gitutils_test.go
index 8c39679081f1e9acb9bccefbde5e33bde5388f56..34dd495b5ca37736716e341eb56c4fea80ad24dc 100644 (file)
--- a/engine/builder/remotecontext/git/gitutils_test.go
+++ b/engine/builder/remotecontext/git/gitutils_test.go
@@ -59,7 +59,7 @@ func TestCloneArgsSmartHttp(t *testing.T) {
        })
 
        args := fetchArgs(serverURL.String(), "master")
-       exp := []string{"fetch", "--depth", "1", "origin", "master"}
+       exp := []string{"fetch", "--depth", "1", "origin", "--", "master"}
        assert.Check(t, is.DeepEqual(exp, args))
 }
 
@@ -75,13 +75,13 @@ func TestCloneArgsDumbHttp(t *testing.T) {
        })
 
        args := fetchArgs(serverURL.String(), "master")
-       exp := []string{"fetch", "origin", "master"}
+       exp := []string{"fetch", "origin", "--", "master"}
        assert.Check(t, is.DeepEqual(exp, args))
 }
 
 func TestCloneArgsGit(t *testing.T) {
        args := fetchArgs("git://github.com/docker/docker", "master")
-       exp := []string{"fetch", "--depth", "1", "origin", "master"}
+       exp := []string{"fetch", "--depth", "1", "origin", "--", "master"}
        assert.Check(t, is.DeepEqual(exp, args))
 }
 
@@ -276,3 +276,18 @@ func TestValidGitTransport(t *testing.T) {
                }
        }
 }
+
+func TestGitInvalidRef(t *testing.T) {
+       gitUrls := []string{
+               "git://github.com/moby/moby#--foo bar",
+               "git@github.com/moby/moby#--upload-pack=sleep;:",
+               "git@g.com:a/b.git#-B",
+               "git@g.com:a/b.git#with space",
+       }
+
+       for _, url := range gitUrls {
+               _, err := Clone(url)
+               assert.Assert(t, err != nil)
+               assert.Check(t, is.Contains(strings.ToLower(err.Error()), "invalid refspec"))
+       }
+}