File 0003-Disallow-NTFS-Alternate-Data-Stream-attack... of Package libgit2.25920

Overview Repositories Revisions Requests Users Attributes Meta

File 0003-Disallow-NTFS-Alternate-Data-Stream-attacks-even-on-Linux-macOS.patch of Package libgit2.25920

From 3595e237c98bcae11e655826d12f29361637510d Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Wed, 18 Sep 2019 14:32:05 +0200
Subject: [PATCH] Disallow NTFS Alternate Data Stream attacks, even on
 Linux/macOS

A little-known feature of NTFS is that it offers to store metadata in
so-called "Alternate Data Streams" (inspired by Apple's "resource
forks") that are copied together with the file they are associated with.
These Alternate Data Streams can be accessed via `<file name>:<stream
name>:<stream type>`.

Directories, too, have Alternate Data Streams, and they even have a
default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and
`abc::$INDEX_ALLOCATION/` are actually equivalent.

This is of course another attack vector on the Git directory that we
definitely want to prevent.

On Windows, we already do this incidentally, by disallowing colons in
file/directory names.

While it looks as if files'/directories' Alternate Data Streams are not
accessible in the Windows Subsystem for Linux, and neither via
CIFS/SMB-mounted network shares in Linux, it _is_ possible to access
them on SMB-mounted network shares on macOS.

Therefore, let's go the extra mile and prevent this particular attack
_everywhere_. To keep things simple, let's just disallow *any* Alternate
Data Stream of `.git`.

This is libgit2's variant of CVE-2019-1352.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 src/path.c                                        |   8 ++++++--
 tests/checkout/nasty.c                            |  10 ++++++++++
 .../33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86     | Bin 0 -> 55 bytes
 .../97/c14994866466aeb73e769a6f34e07c7f4b53f7     | Bin 0 -> 65 bytes
 .../b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513     | Bin 0 -> 135 bytes
 .../refs/heads/dotgit_alternate_data_stream       |   1 +
 6 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 tests/resources/nasty/.gitted/objects/33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86
 create mode 100644 tests/resources/nasty/.gitted/objects/97/c14994866466aeb73e769a6f34e07c7f4b53f7
 create mode 100644 tests/resources/nasty/.gitted/objects/b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513
 create mode 100644 tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream

diff --git a/src/path.c b/src/path.c
index 32cae8e5a4a..6f22b08e9a8 100644
--- a/src/path.c
+++ b/src/path.c
@@ -1609,8 +1609,12 @@ GIT_INLINE(bool) verify_dotgit_ntfs(git_repository *repo, const char *path, size
 	if (!start)
 		return true;
 
-	/* Reject paths like ".git\" */
-	if (path[start] == '\\')
+	/*
+	 * Reject paths that start with Windows-style directory separators
+	 * (".git\") or NTFS alternate streams (".git:") and could be used
+	 * to write to the ".git" directory on Windows platforms.
+	 */
+	if (path[start] == '\\' || path[start] == ':')
 		return false;
 
 	/* Reject paths like '.git ' or '.git.' */
#diff --git a/tests/checkout/nasty.c b/tests/checkout/nasty.c
#index 96f717fc84d..2a602951b07 100644
#--- a/tests/checkout/nasty.c
#+++ b/tests/checkout/nasty.c
#@@ -273,6 +273,16 @@ void test_checkout_nasty__dot_git_colon_stuff(void)
# #endif
# }
# 
#+/* A tree that contains an entry ".git::$INDEX_ALLOCATION" because NTFS
#+ * will interpret that as a synonym to ".git", even when mounted via SMB
#+ * on macOS.
#+ */
#+void test_checkout_nasty__dotgit_alternate_data_stream(void)
#+{
#+	test_checkout_fails("refs/heads/dotgit_alternate_data_stream", ".git/dummy-file");
#+	test_checkout_fails("refs/heads/dotgit_alternate_data_stream", ".git::$INDEX_ALLOCATION/dummy-file");
#+}
#+
# /* Trees that contains entries with a tree ".git" that contain
#  * byte sequences:
#  * { 0xe2, 0x80, 0x8c }
#diff --git a/tests/resources/nasty/.gitted/objects/33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86 b/tests/resources/nasty/.gitted/objects/33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86
#new file mode 100644
#index 0000000000000000000000000000000000000000..e539ccfec8c43db1325ff541dd2c7dd85af1e15f
#GIT binary patch
#literal 55
#zcmV-70LcG%0V^p=O;s?qU@$Z=Ff%bxNGZ+Dt<+7+%t>W%5-z(vuj^e)-Q04IiO&sY
#NEO(5X0sv#U5x7hO7PbHY
#
#literal 0
#HcmV?d00001
#
#diff --git a/tests/resources/nasty/.gitted/objects/97/c14994866466aeb73e769a6f34e07c7f4b53f7 b/tests/resources/nasty/.gitted/objects/97/c14994866466aeb73e769a6f34e07c7f4b53f7
#new file mode 100644
#index 0000000000000000000000000000000000000000..9f7679917366fddca6e67c6eb66c3a4374a72b3e
#GIT binary patch
#literal 65
#zcmb<m)YkO!4K*-LFfe3bV%_`YjF7grsK34V^^OX6dHMSE;{yKm_H2)jaWa{fp3kp|
#VO+BDiUr?6&W^QyY!`EJs767dP7q0*S
#
#literal 0
#HcmV?d00001
#
#diff --git a/tests/resources/nasty/.gitted/objects/b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513 b/tests/resources/nasty/.gitted/objects/b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513
#new file mode 100644
#index 0000000000000000000000000000000000000000..bf446263c73d70d8c1724c7a2f4c6407693c6a2f
#GIT binary patch
#literal 135
#zcmV;20C@j+0j-Zg3c@fD06pgwdl$;K*=`aL@$9uPNYjn2m;~Ag`g=vh7kHh+FcV5j
#zON9<;S62~mCbZ-nS!QDPG8!$0o#&`Y&;%1{>~%EC-|JjfIG5SyEE^1AUh*WjCBxzR
#ph0XSZr%QS?lN_P#*;;hmA?&e3RN+%l<sU9JyeE8mHZPJ1L?ZqSJ#YX3
#
#literal 0
#HcmV?d00001
#
#diff --git a/tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream b/tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream
#new file mode 100644
#index 00000000000..ecdd340cd44
#--- /dev/null
#+++ b/tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream
#@@ -0,0 +1 @@
#+b8edf3ad62dbcbc983857a5bfee7b0181ee1a513

Places

File 0003-Disallow-NTFS-Alternate-Data-Stream-attacks-even-on-Linux-macOS.patch of Package libgit2.25920

Places