View Javadoc
1   /*
2    * Copyright (C) 2018, Google LLC.
3    * and other copyright owners as documented in the project's IP log.
4    *
5    * This program and the accompanying materials are made available
6    * under the terms of the Eclipse Distribution License v1.0 which
7    * accompanies this distribution, is reproduced below, and is
8    * available at http://www.eclipse.org/org/documents/edl-v10.php
9    *
10   * All rights reserved.
11   *
12   * Redistribution and use in source and binary forms, with or
13   * without modification, are permitted provided that the following
14   * conditions are met:
15   *
16   * - Redistributions of source code must retain the above copyright
17   *   notice, this list of conditions and the following disclaimer.
18   *
19   * - Redistributions in binary form must reproduce the above
20   *   copyright notice, this list of conditions and the following
21   *   disclaimer in the documentation and/or other materials provided
22   *   with the distribution.
23   *
24   * - Neither the name of the Eclipse Foundation, Inc. nor the
25   *   names of its contributors may be used to endorse or promote
26   *   products derived from this software without specific prior
27   *   written permission.
28   *
29   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
30   * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
31   * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
34   * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
35   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
36   * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
37   * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
38   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39   * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
41   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42   */
43  package org.eclipse.jgit.internal.submodule;
44  
45  import static org.eclipse.jgit.lib.ConfigConstants.CONFIG_KEY_PATH;
46  import static org.eclipse.jgit.lib.ConfigConstants.CONFIG_KEY_URL;
47  import static org.eclipse.jgit.lib.ConfigConstants.CONFIG_SUBMODULE_SECTION;
48  import static org.eclipse.jgit.lib.ObjectChecker.ErrorType.GITMODULES_NAME;
49  import static org.eclipse.jgit.lib.ObjectChecker.ErrorType.GITMODULES_PARSE;
50  import static org.eclipse.jgit.lib.ObjectChecker.ErrorType.GITMODULES_PATH;
51  import static org.eclipse.jgit.lib.ObjectChecker.ErrorType.GITMODULES_URL;
52  
53  import java.text.MessageFormat;
54  
55  import org.eclipse.jgit.errors.ConfigInvalidException;
56  import org.eclipse.jgit.internal.JGitText;
57  import org.eclipse.jgit.lib.Config;
58  import org.eclipse.jgit.lib.ObjectChecker;
59  
60  /**
61   * Validations for the git submodule fields (name, path, uri).
62   *
63   * Invalid values in these fields can cause security problems as reported in
64   * CVE-2018-11235 and CVE-2018-17456
65   */
66  public class SubmoduleValidator {
67  
68  	/**
69  	 * Error validating a git submodule declaration
70  	 */
71  	public static class SubmoduleValidationException extends Exception {
72  
73  		private static final long serialVersionUID = 1L;
74  
75  		private final ObjectChecker.ErrorType fsckMessageId;
76  
77  		/**
78  		 * @param message
79  		 *            Description of the problem
80  		 * @param fsckMessageId
81  		 *            Error identifier, following the git fsck fsck.<msg-id>
82  		 *            format
83  		 */
84  		SubmoduleValidationException(String message,
85  				ObjectChecker.ErrorType fsckMessageId) {
86  			super(message);
87  			this.fsckMessageId = fsckMessageId;
88  		}
89  
90  
91  		/**
92  		 * @return the error identifier
93  		 */
94  		public ObjectChecker.ErrorType getFsckMessageId() {
95  			return fsckMessageId;
96  		}
97  	}
98  
99  	/**
100 	 * Validate name for a submodule
101 	 *
102 	 * @param name
103 	 *            name of a submodule
104 	 * @throws SubmoduleValidationException
105 	 *             name doesn't seem valid (detail in message)
106 	 */
107 	public static void assertValidSubmoduleName(String name)
108 			throws SubmoduleValidationException {
109 		if (name.contains("/../") || name.contains("\\..\\") //$NON-NLS-1$ //$NON-NLS-2$
110 				|| name.startsWith("../") || name.startsWith("..\\") //$NON-NLS-1$ //$NON-NLS-2$
111 				|| name.endsWith("/..") || name.endsWith("\\..")) { //$NON-NLS-1$ //$NON-NLS-2$
112 			// Submodule names are used to store the submodule repositories
113 			// under $GIT_DIR/modules. Having ".." in submodule names makes a
114 			// vulnerability (CVE-2018-11235
115 			// https://bugs.eclipse.org/bugs/show_bug.cgi?id=535027#c0)
116 			// Reject names containing ".." path segments. We don't
117 			// automatically replace these characters or canonicalize by
118 			// regarding the name as a file path.
119 			// Since Path class is platform dependent, we manually check '/' and
120 			// '\\' patterns here.
121 			throw new SubmoduleValidationException(MessageFormat
122 					.format(JGitText.get().invalidNameContainsDotDot, name),
123 					GITMODULES_NAME);
124 		}
125 
126 		if (name.startsWith("-")) { //$NON-NLS-1$
127 			throw new SubmoduleValidationException(
128 					MessageFormat.format(
129 							JGitText.get().submoduleNameInvalid, name),
130 					GITMODULES_NAME);
131 		}
132 	}
133 
134 	/**
135 	 * Validate URI for a submodule
136 	 *
137 	 * @param uri
138 	 *            uri of a submodule
139 	 * @throws SubmoduleValidationException
140 	 *             uri doesn't seem valid
141 	 */
142 	public static void assertValidSubmoduleUri(String uri)
143 			throws SubmoduleValidationException {
144 		if (uri.startsWith("-")) { //$NON-NLS-1$
145 			throw new SubmoduleValidationException(
146 					MessageFormat.format(
147 							JGitText.get().submoduleUrlInvalid, uri),
148 					GITMODULES_URL);
149 		}
150 	}
151 
152 	/**
153 	 * Validate path for a submodule
154 	 *
155 	 * @param path
156 	 *            path of a submodule
157 	 * @throws SubmoduleValidationException
158 	 *             path doesn't look right
159 	 */
160 	public static void assertValidSubmodulePath(String path)
161 			throws SubmoduleValidationException {
162 		if (path.startsWith("-")) { //$NON-NLS-1$
163 			throw new SubmoduleValidationException(
164 					MessageFormat.format(
165 							JGitText.get().submodulePathInvalid, path),
166 					GITMODULES_PATH);
167 		}
168 	}
169 
170 	/**
171 	 * Validate a .gitmodules file
172 	 *
173 	 * @param gitModulesContents
174 	 *            Contents of a .gitmodule file. They will be parsed internally.
175 	 * @throws SubmoduleValidationException
176 	 *             if the contents don't look like a configuration file or field
177 	 *             values are not valid
178 	 */
179 	public static void assertValidGitModulesFile(String gitModulesContents)
180 			throws SubmoduleValidationException {
181 		Config c = new Config();
182 		try {
183 			c.fromText(gitModulesContents);
184 			for (String subsection :
185 					c.getSubsections(CONFIG_SUBMODULE_SECTION)) {
186 				assertValidSubmoduleName(subsection);
187 
188 				String url = c.getString(
189 						CONFIG_SUBMODULE_SECTION, subsection, CONFIG_KEY_URL);
190 				if (url != null) {
191 					assertValidSubmoduleUri(url);
192 				}
193 
194 				String path = c.getString(
195 						CONFIG_SUBMODULE_SECTION, subsection, CONFIG_KEY_PATH);
196 				if (path != null) {
197 					assertValidSubmodulePath(path);
198 				}
199 			}
200 		} catch (ConfigInvalidException e) {
201 			throw new SubmoduleValidationException(
202 					JGitText.get().invalidGitModules,
203 					GITMODULES_PARSE);
204 		}
205 	}
206 }