delta/libgit2.git/tests/submodule/escape.c, branch ethomson/find_executable github.com: libgit2/libgit2.git str: introduce `git_str` for internal, `git_buf` is external 2021-10-17T13:49:01+00:00 Edward Thomson ethomson@edwardthomson.com 2021-09-07T21:53:49+00:00 f0e693b18afbe1de37d7da5b5a8967b6c87d8e53 libgit2 has two distinct requirements that were previously solved by `git_buf`. We require: 1. A general purpose string class that provides a number of utility APIs for manipulating data (eg, concatenating, truncating, etc). 2. A structure that we can use to return strings to callers that they can take ownership of. By using a single class (`git_buf`) for both of these purposes, we have confused the API to the point that refactorings are difficult and reasoning about correctness is also difficult. Move the utility class `git_buf` to be called `git_str`: this represents its general purpose, as an internal string buffer class. The name also is an homage to Junio Hamano ("gitstr"). The public API remains `git_buf`, and has a much smaller footprint. It is generally only used as an "out" param with strict requirements that follow the documentation. (Exceptions exist for some legacy APIs to avoid breaking callers unnecessarily.) Utility functions exist to convert a user-specified `git_buf` to a `git_str` so that we can call internal functions, then converting it back again. 
libgit2 has two distinct requirements that were previously solved by
`git_buf`.  We require:

1. A general purpose string class that provides a number of utility APIs
   for manipulating data (eg, concatenating, truncating, etc).
2. A structure that we can use to return strings to callers that they
   can take ownership of.

By using a single class (`git_buf`) for both of these purposes, we have
confused the API to the point that refactorings are difficult and
reasoning about correctness is also difficult.

Move the utility class `git_buf` to be called `git_str`: this represents
its general purpose, as an internal string buffer class.  The name also
is an homage to Junio Hamano ("gitstr").

The public API remains `git_buf`, and has a much smaller footprint.  It
is generally only used as an "out" param with strict requirements that
follow the documentation.  (Exceptions exist for some legacy APIs to
avoid breaking callers unnecessarily.)

Utility functions exist to convert a user-specified `git_buf` to a
`git_str` so that we can call internal functions, then converting it
back again.
fileops: rename to "futils.h" to match function signatures 2019-07-20T17:11:20+00:00 Patrick Steinhardt ps@pks.im 2019-06-29T07:17:32+00:00 e54343a4024e75dfaa940e652c2c9799d33634b2 Our file utils functions all have a "futils" prefix, e.g. `git_futils_touch`. One would thus naturally guess that their definitions and implementation would live in files "futils.h" and "futils.c", respectively, but in fact they live in "fileops.h". Rename the files to match expectations. 
Our file utils functions all have a "futils" prefix, e.g.
`git_futils_touch`. One would thus naturally guess that their
definitions and implementation would live in files "futils.h" and
"futils.c", respectively, but in fact they live in "fileops.h".

Rename the files to match expectations.
Convert usage of `git_buf_free` to new `git_buf_dispose` 2018-06-10T17:34:37+00:00 Patrick Steinhardt ps@pks.im 2018-02-08T11:14:48+00:00 ecf4f33a4e327a91496f72816f9f02d923e5af05 






submodule: plug leaks from the escape detection
2018-05-24T18:28:36+00:00

Carlos Martín Nieto
cmn@dwim.me

2018-05-24T18:28:36+00:00

9e723db877f3c310f826f517ebe509722aad22eb












submodule: also validate Windows-separated paths for validity
2018-05-14T15:30:59+00:00

Carlos Martín Nieto
carlosmn@github.com

2018-05-14T14:03:15+00:00

397abe9832a1baa7a822f4c63fa9730a3438aa7a

Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to
protect Windows users.

Ideally we would check for both separators without the need for the copied
string, but this'll get us over the RCE.





Otherwise we would also admit `..\..\foo\bar` as a valid path and fail to
protect Windows users.

Ideally we would check for both separators without the need for the copied
string, but this'll get us over the RCE.







submodule: ignore submodules which include path traversal in their name
2018-05-09T18:29:49+00:00

Carlos Martín Nieto
cmn@dwim.me

2018-04-30T11:47:15+00:00

6b15ceac0ad19ab671995e9926b492e93703ed0f

If the we decide that the "name" of the submodule (i.e. its path inside
`.git/modules/`) is trying to escape that directory or otherwise trick us, we
ignore the configuration for that submodule.

This leaves us with a half-configured submodule when looking it up by path, but
it's the same result as if the configuration really were missing.

The name check is potentially more strict than it needs to be, but it lets us
re-use the check we're doing for the checkout. The function that encapsulates
this logic is ready to be exported but we don't want to do that in a security
release so it remains internal for now.





If the we decide that the "name" of the submodule (i.e. its path inside
`.git/modules/`) is trying to escape that directory or otherwise trick us, we
ignore the configuration for that submodule.

This leaves us with a half-configured submodule when looking it up by path, but
it's the same result as if the configuration really were missing.

The name check is potentially more strict than it needs to be, but it lets us
re-use the check we're doing for the checkout. The function that encapsulates
this logic is ready to be exported but we don't want to do that in a security
release so it remains internal for now.







submodule: add a failing test for a submodule escaping .git/modules
2018-04-30T11:03:44+00:00

Carlos Martín Nieto
cmn@dwim.me

2018-04-30T11:03:44+00:00

7553763aca0068fd331f2ba07fbe960605f04bb6

We should pretend such submdules do not exist as it can lead to RCE.





We should pretend such submdules do not exist as it can lead to RCE.