diff options
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2024-03-26 14:37:25 +0100 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2024-04-17 22:30:04 +0200 |
| commit | e8d0608944486019ea0e1ed2ed29776811a565c2 (patch) | |
| tree | 9dec3da0e9dbd56955d0a65f07016779986c88a3 /t/t7423-submodule-symlinks.sh | |
| parent | clone_submodule: avoid using `access()` on directories (diff) | |
| download | git-e8d0608944486019ea0e1ed2ed29776811a565c2.tar.gz git-e8d0608944486019ea0e1ed2ed29776811a565c2.zip | |
submodule: require the submodule path to contain directories only
Submodules are stored in subdirectories of their superproject. When
these subdirectories have been replaced with symlinks by a malicious
actor, all kinds of mayhem can be caused.
This _should_ not be possible, but many CVEs in the past showed that
_when_ possible, it allows attackers to slip in code that gets executed
during, say, a `git clone --recursive` operation.
Let's add some defense-in-depth to disallow submodule paths to have
anything except directories in them.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to '')
| -rwxr-xr-x | t/t7423-submodule-symlinks.sh | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/t/t7423-submodule-symlinks.sh b/t/t7423-submodule-symlinks.sh index a72f3cbcab..3d3c7af3ce 100755 --- a/t/t7423-submodule-symlinks.sh +++ b/t/t7423-submodule-symlinks.sh @@ -14,15 +14,16 @@ test_expect_success 'prepare' ' git commit -m submodule ' -test_expect_failure SYMLINKS 'git submodule update must not create submodule behind symlink' ' +test_expect_success SYMLINKS 'git submodule update must not create submodule behind symlink' ' rm -rf a b && mkdir b && ln -s b a && + test_path_is_missing b/sm && test_must_fail git submodule update && test_path_is_missing b/sm ' -test_expect_failure SYMLINKS,CASE_INSENSITIVE_FS 'git submodule update must not create submodule behind symlink on case insensitive fs' ' +test_expect_success SYMLINKS,CASE_INSENSITIVE_FS 'git submodule update must not create submodule behind symlink on case insensitive fs' ' rm -rf a b && mkdir b && ln -s b A && @@ -46,7 +47,7 @@ test_expect_success SYMLINKS 'git restore --recurse-submodules must not be confu test_path_is_missing a/target/submodule_file ' -test_expect_failure SYMLINKS 'git restore --recurse-submodules must not migrate git dir of symlinked repo' ' +test_expect_success SYMLINKS 'git restore --recurse-submodules must not migrate git dir of symlinked repo' ' prepare_symlink_to_repo && rm -rf .git/modules && test_must_fail git restore --recurse-submodules a/sm && @@ -55,7 +56,7 @@ test_expect_failure SYMLINKS 'git restore --recurse-submodules must not migrate test_path_is_missing a/target/submodule_file ' -test_expect_failure SYMLINKS 'git checkout -f --recurse-submodules must not migrate git dir of symlinked repo when removing submodule' ' +test_expect_success SYMLINKS 'git checkout -f --recurse-submodules must not migrate git dir of symlinked repo when removing submodule' ' prepare_symlink_to_repo && rm -rf .git/modules && test_must_fail git checkout -f --recurse-submodules initial && |