93 lines
3.0 KiB
Diff
93 lines
3.0 KiB
Diff
From b4361679c96219e6f1805cd802ba47a9c9f86f4d Mon Sep 17 00:00:00 2001
|
|
From: build <build@obs.com>
|
|
Date: Mon, 9 Sep 2019 03:13:51 -0400
|
|
Subject: [PATCH] docker: add validation for ref (CVE-2019-13139)
|
|
|
|
reason: add validation for ref (CVE-2019-13139)
|
|
|
|
Reference from https://github.com/moby/moby/pull/38944
|
|
|
|
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
|
|
Cherry-pick from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe
|
|
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
|
|
---
|
|
.../builder/remotecontext/git/gitutils.go | 6 +++++-
|
|
.../remotecontext/git/gitutils_test.go | 21 ++++++++++++++++---
|
|
2 files changed, 23 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/components/engine/builder/remotecontext/git/gitutils.go b/components/engine/builder/remotecontext/git/gitutils.go
|
|
index 77a45be..a907915 100644
|
|
--- a/components/engine/builder/remotecontext/git/gitutils.go
|
|
+++ b/components/engine/builder/remotecontext/git/gitutils.go
|
|
@@ -102,6 +102,10 @@ func parseRemoteURL(remoteURL string) (gitRepo, error) {
|
|
u.Fragment = ""
|
|
repo.remote = u.String()
|
|
}
|
|
+
|
|
+ if strings.HasPrefix(repo.ref, "-") {
|
|
+ return gitRepo{}, errors.Errorf("invalid refspec: %s", repo.ref)
|
|
+ }
|
|
return repo, nil
|
|
}
|
|
|
|
@@ -124,7 +128,7 @@ func fetchArgs(remoteURL string, ref string) []string {
|
|
args = append(args, "--depth", "1")
|
|
}
|
|
|
|
- return append(args, "origin", ref)
|
|
+ return append(args, "origin", "--", ref)
|
|
}
|
|
|
|
// Check if a given git URL supports a shallow git clone,
|
|
diff --git a/components/engine/builder/remotecontext/git/gitutils_test.go b/components/engine/builder/remotecontext/git/gitutils_test.go
|
|
index 8c39679..34dd495 100644
|
|
--- a/components/engine/builder/remotecontext/git/gitutils_test.go
|
|
+++ b/components/engine/builder/remotecontext/git/gitutils_test.go
|
|
@@ -59,7 +59,7 @@ func TestCloneArgsSmartHttp(t *testing.T) {
|
|
})
|
|
|
|
args := fetchArgs(serverURL.String(), "master")
|
|
- exp := []string{"fetch", "--depth", "1", "origin", "master"}
|
|
+ exp := []string{"fetch", "--depth", "1", "origin", "--", "master"}
|
|
assert.Check(t, is.DeepEqual(exp, args))
|
|
}
|
|
|
|
@@ -75,13 +75,13 @@ func TestCloneArgsDumbHttp(t *testing.T) {
|
|
})
|
|
|
|
args := fetchArgs(serverURL.String(), "master")
|
|
- exp := []string{"fetch", "origin", "master"}
|
|
+ exp := []string{"fetch", "origin", "--", "master"}
|
|
assert.Check(t, is.DeepEqual(exp, args))
|
|
}
|
|
|
|
func TestCloneArgsGit(t *testing.T) {
|
|
args := fetchArgs("git://github.com/docker/docker", "master")
|
|
- exp := []string{"fetch", "--depth", "1", "origin", "master"}
|
|
+ exp := []string{"fetch", "--depth", "1", "origin", "--", "master"}
|
|
assert.Check(t, is.DeepEqual(exp, args))
|
|
}
|
|
|
|
@@ -276,3 +276,18 @@ func TestValidGitTransport(t *testing.T) {
|
|
}
|
|
}
|
|
}
|
|
+
|
|
+func TestGitInvalidRef(t *testing.T) {
|
|
+ gitUrls := []string{
|
|
+ "git://github.com/moby/moby#--foo bar",
|
|
+ "git@github.com/moby/moby#--upload-pack=sleep;:",
|
|
+ "git@g.com:a/b.git#-B",
|
|
+ "git@g.com:a/b.git#with space",
|
|
+ }
|
|
+
|
|
+ for _, url := range gitUrls {
|
|
+ _, err := Clone(url)
|
|
+ assert.Assert(t, err != nil)
|
|
+ assert.Check(t, is.Contains(strings.ToLower(err.Error()), "invalid refspec"))
|
|
+ }
|
|
+}
|
|
--
|
|
2.20.1
|
|
|