From 59927cc3acd172d8fe2a742d3d68f3dab0133ed6 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Wed, 6 Feb 2019 11:58:40 -0800 Subject: [PATCH] [PATCH] gitutils: add validation for ref Signed-off-by: Tonis Tiigi (cherry picked from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe) Signed-off-by: Andrew Hsu Origin: upstream, https://github.com/moby/moby/pull/38944 Gbp-Pq: Name cve-2019-13139-01-gitutils-add-validation-for-ref.patch --- engine/builder/remotecontext/git/gitutils.go | 7 ++++++- .../remotecontext/git/gitutils_test.go | 21 ++++++++++++++++--- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/engine/builder/remotecontext/git/gitutils.go b/engine/builder/remotecontext/git/gitutils.go index 77a45bef..6213963d 100644 --- a/engine/builder/remotecontext/git/gitutils.go +++ b/engine/builder/remotecontext/git/gitutils.go @@ -102,6 +102,11 @@ func parseRemoteURL(remoteURL string) (gitRepo, error) { u.Fragment = "" repo.remote = u.String() } + + if strings.HasPrefix(repo.ref, "-") { + return gitRepo{}, errors.Errorf("invalid refspec: %s", repo.ref) + } + return repo, nil } @@ -124,7 +129,7 @@ func fetchArgs(remoteURL string, ref string) []string { args = append(args, "--depth", "1") } - return append(args, "origin", ref) + return append(args, "origin", "--", ref) } // Check if a given git URL supports a shallow git clone, diff --git a/engine/builder/remotecontext/git/gitutils_test.go b/engine/builder/remotecontext/git/gitutils_test.go index 8c396790..34dd495b 100644 --- a/engine/builder/remotecontext/git/gitutils_test.go +++ b/engine/builder/remotecontext/git/gitutils_test.go @@ -59,7 +59,7 @@ func TestCloneArgsSmartHttp(t *testing.T) { }) args := fetchArgs(serverURL.String(), "master") - exp := []string{"fetch", "--depth", "1", "origin", "master"} + exp := []string{"fetch", "--depth", "1", "origin", "--", "master"} assert.Check(t, is.DeepEqual(exp, args)) } @@ -75,13 +75,13 @@ func TestCloneArgsDumbHttp(t *testing.T) { }) args := fetchArgs(serverURL.String(), "master") - exp := []string{"fetch", "origin", "master"} + exp := []string{"fetch", "origin", "--", "master"} assert.Check(t, is.DeepEqual(exp, args)) } func TestCloneArgsGit(t *testing.T) { args := fetchArgs("git://github.com/docker/docker", "master") - exp := []string{"fetch", "--depth", "1", "origin", "master"} + exp := []string{"fetch", "--depth", "1", "origin", "--", "master"} assert.Check(t, is.DeepEqual(exp, args)) } @@ -276,3 +276,18 @@ func TestValidGitTransport(t *testing.T) { } } } + +func TestGitInvalidRef(t *testing.T) { + gitUrls := []string{ + "git://github.com/moby/moby#--foo bar", + "git@github.com/moby/moby#--upload-pack=sleep;:", + "git@g.com:a/b.git#-B", + "git@g.com:a/b.git#with space", + } + + for _, url := range gitUrls { + _, err := Clone(url) + assert.Assert(t, err != nil) + assert.Check(t, is.Contains(strings.ToLower(err.Error()), "invalid refspec")) + } +} -- 2.30.2