From: Patrick Steinhardt <ps@pks.im>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org
Subject: Re: [PATCH 8/8] refs: check refnames as fully qualified when resolving
Date: Tue, 30 Apr 2024 06:54:12 +0200 [thread overview]
Message-ID: <ZjB5dPoEoq8D6qzJ@tanuki> (raw)
In-Reply-To: <20240429083533.GG233423@coredump.intra.peff.net>
[-- Attachment #1: Type: text/plain, Size: 2271 bytes --]
On Mon, Apr 29, 2024 at 04:35:33AM -0400, Jeff King wrote:
> Most code paths for resolving refs end up in refs_resolve_ref_unsafe(),
> which checks the names using check_refname_format(). The names we have
> at this stage are always full refnames, but we pass the ALLOW_ONELEVEL
> flag so that the function allows pseudorefs like MERGE_HEAD. We should
> instead pass the FULLY_QUALIFIED flag, which lets check_refname_format()
> do some extra syntactic checks on those pseudorefs.
>
> With this patch we'll refuse to read anything outside of refs/ that does
> not match the usual pseudoref syntax (all caps plus dashes). This should
s/dashes/underscores
> not be a loss of functionality (since such refs cannot be written as of
> the previous commit), but may protect us from mischief. For example, you
> can ask for silly things like "info/refs", "rr-cache/<sha1>/postimage",
> or "objects/info/commit-graphs/commit-graph-chain". It's doubtful you
> can really do anything _too_ terrible there, but it seems like peeking
> at random files in .git in response to possibly untrusted input is
> something we should avoid.
Agreed.
[snip]
> diff --git a/t/t1430-bad-ref-name.sh b/t/t1430-bad-ref-name.sh
> index 120e1557d7..5fb780cb08 100755
> --- a/t/t1430-bad-ref-name.sh
> +++ b/t/t1430-bad-ref-name.sh
> @@ -400,4 +400,14 @@ test_expect_success 'update-ref refuses non-underscore outside of refs/' '
> test_grep "refusing to update ref with bad name" err
> '
>
> +test_expect_success REFFILES 'rev-parse refuses non-pseudoref outside of refs/' '
> + git rev-parse HEAD >.git/bad &&
> + test_must_fail git rev-parse --verify bad
> +'
> +
> +test_expect_success REFFILES 'rev-parse recognizes non-pseudoref via worktree' '
> + git rev-parse HEAD >.git/bad &&
> + test_must_fail git rev-parse --verify main-worktree/bad
> +'
Are these really specific to the REFFILES backend? I would expect that
the reftable backend sohuld fail to parse those, too. The fact that we
write into the repository directly during the test setup doesn't change
this, because all this patch is about is that we don't want to parse
random files in the Git repo. And that is something we should want to
enforce for all backends.
Patrick
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-04-30 4:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-29 8:35 [PATCH 8/8] refs: check refnames as fully qualified when resolving Jeff King
2024-04-30 4:54 ` Patrick Steinhardt [this message]
2024-04-30 10:41 ` Jeff King
2024-04-30 11:25 ` Patrick Steinhardt
2024-05-03 17:55 ` Jeff King
2024-05-06 6:22 ` Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZjB5dPoEoq8D6qzJ@tanuki \
--to=ps@pks.im \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).