diff options
author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-09-18 14:32:05 +0200 |
---|---|---|
committer | Edward Thomson <ethomson@edwardthomson.com> | 2019-12-10 18:01:06 +1000 |
commit | 3f7851eadca36a99627ad78cbe56a40d3776ed01 (patch) | |
tree | 67d01afdbd39f4248b9d904dc14d40931bd437ff /tests/resources | |
parent | 64c612cc3e25eff5fb02c59ef5a66ba7a14751e4 (diff) | |
download | libgit2-3f7851eadca36a99627ad78cbe56a40d3776ed01.tar.gz |
Disallow NTFS Alternate Data Stream attacks, even on Linux/macOS
A little-known feature of NTFS is that it offers to store metadata in
so-called "Alternate Data Streams" (inspired by Apple's "resource
forks") that are copied together with the file they are associated with.
These Alternate Data Streams can be accessed via `<file name>:<stream
name>:<stream type>`.
Directories, too, have Alternate Data Streams, and they even have a
default stream type `$INDEX_ALLOCATION`. Which means that `abc/` and
`abc::$INDEX_ALLOCATION/` are actually equivalent.
This is of course another attack vector on the Git directory that we
definitely want to prevent.
On Windows, we already do this incidentally, by disallowing colons in
file/directory names.
While it looks as if files'/directories' Alternate Data Streams are not
accessible in the Windows Subsystem for Linux, and neither via
CIFS/SMB-mounted network shares in Linux, it _is_ possible to access
them on SMB-mounted network shares on macOS.
Therefore, let's go the extra mile and prevent this particular attack
_everywhere_. To keep things simple, let's just disallow *any* Alternate
Data Stream of `.git`.
This is libgit2's variant of CVE-2019-1352.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 'tests/resources')
-rw-r--r-- | tests/resources/nasty/.gitted/objects/33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86 | bin | 0 -> 55 bytes | |||
-rw-r--r-- | tests/resources/nasty/.gitted/objects/97/c14994866466aeb73e769a6f34e07c7f4b53f7 | bin | 0 -> 65 bytes | |||
-rw-r--r-- | tests/resources/nasty/.gitted/objects/b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513 | bin | 0 -> 135 bytes | |||
-rw-r--r-- | tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream | 1 |
4 files changed, 1 insertions, 0 deletions
diff --git a/tests/resources/nasty/.gitted/objects/33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86 b/tests/resources/nasty/.gitted/objects/33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86 Binary files differnew file mode 100644 index 000000000..e539ccfec --- /dev/null +++ b/tests/resources/nasty/.gitted/objects/33/8190107c7ee7d8f5aa30061fc19b7d5ddcda86 diff --git a/tests/resources/nasty/.gitted/objects/97/c14994866466aeb73e769a6f34e07c7f4b53f7 b/tests/resources/nasty/.gitted/objects/97/c14994866466aeb73e769a6f34e07c7f4b53f7 Binary files differnew file mode 100644 index 000000000..9f7679917 --- /dev/null +++ b/tests/resources/nasty/.gitted/objects/97/c14994866466aeb73e769a6f34e07c7f4b53f7 diff --git a/tests/resources/nasty/.gitted/objects/b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513 b/tests/resources/nasty/.gitted/objects/b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513 Binary files differnew file mode 100644 index 000000000..bf446263c --- /dev/null +++ b/tests/resources/nasty/.gitted/objects/b8/edf3ad62dbcbc983857a5bfee7b0181ee1a513 diff --git a/tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream b/tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream new file mode 100644 index 000000000..ecdd340cd --- /dev/null +++ b/tests/resources/nasty/.gitted/refs/heads/dotgit_alternate_data_stream @@ -0,0 +1 @@ +b8edf3ad62dbcbc983857a5bfee7b0181ee1a513 |