repo command allows arbitrary command execution through usage of ext remote urls in manifest

[GoogleCodeExporter]

The recent security update to git[0] also affects Google's repo command.

git's git-remote-ext remote helper provides an ext:: URL scheme that allows 
running arbitrary shell commands. This feature allows implementing simple git 
smart transports with a single shell shell command. However, git submodules can 
clone arbitrary URLs specified in the .gitmodules file. If a user carelessly 
clones a malicious repository, or a malicious server gives the client serves 
the client a malicious repository instead of the expected one, the git client 
will run arbitrary attacker controlled commands.

repo is similarly effected. A repo manifest specifies URLs of remote 
repositories to clone and allows ext:: URLs to be specified. This allows 
arbitrary shell commands to be run on `repo sync`.

Unlike git submodules, which allows cloning a repository and its submodules 
recursively in one step, repo separates init and sync into two separate steps. 
This somewhat mitigates the issue because the user always has the opportunity 
to review the manifest for maliciousness before running `repo sync`. In reality 
though, many users will not review the manifest file.

The following manifest file demonstrates the issue. This manifest file should 
work on any *nix system and will cat /etc/passwd to the screen during `repo 
sync`.

    <?xml version="1.0" encoding="UTF-8"?>
    <manifest>
      <remote  name="ext"
               fetch="ext::sh -c cat% /etc/passwd% >/dev/" />
      <default revision="refs/heads/master"
               remote="ext" />
      <project name="stderr" remote="ext" />
    </manifest>

git fixed this issue by introducing an GIT_ALLOW_PROTOCOL environment variable 
to whitelist the set of allowed protocols for git to use. git-submodule was 
modified[1] to be limited to only use the file, git, http, https, and ssh 
protocols by default. I suggest you modify repo to also use the same protocol 
whitelist by default.

[0] http://marc.info/?l=git&m=144407785714994
[1] https://github.com/git/git/commit/33cfccbbf35a56e190b79bdec5c85457c952a021

Original issue reported on code.google.com by bburky on 12 Oct 2015 at 3:40

[GoogleCodeExporter]

Reproduced on latest head of master branch.

Original comment by david.pu...@sonymobile.com on 25 Nov 2015 at 9:50

• Changed state: Accepted

[GoogleCodeExporter]

https://gerrit-review.googlesource.com/#/c/72745/

Original comment by david.pu...@sonymobile.com on 25 Nov 2015 at 10:01

• Changed state: Started

[GoogleCodeExporter]

https://gerrit-review.googlesource.com/#/c/72721/

Original comment by david.pu...@sonymobile.com on 26 Nov 2015 at 2:13

[GoogleCodeExporter]

Original comment by david.pu...@sonymobile.com on 26 Nov 2015 at 2:23

• Changed state: Fixed