The recent security update to git[0] also affects Google's repo command.
git's git-remote-ext remote helper provides an ext:: URL scheme that allows
running arbitrary shell commands. This feature allows implementing simple git
smart transports with a single shell shell command. However, git submodules can
clone arbitrary URLs specified in the .gitmodules file. If a user carelessly
clones a malicious repository, or a malicious server gives the client serves
the client a malicious repository instead of the expected one, the git client
will run arbitrary attacker controlled commands.
repo is similarly effected. A repo manifest specifies URLs of remote
repositories to clone and allows ext:: URLs to be specified. This allows
arbitrary shell commands to be run on `repo sync`.
Unlike git submodules, which allows cloning a repository and its submodules
recursively in one step, repo separates init and sync into two separate steps.
This somewhat mitigates the issue because the user always has the opportunity
to review the manifest for maliciousness before running `repo sync`. In reality
though, many users will not review the manifest file.
The following manifest file demonstrates the issue. This manifest file should
work on any *nix system and will cat /etc/passwd to the screen during `repo
sync`.
<?xml version="1.0" encoding="UTF-8"?>
<manifest>
<remote name="ext"
fetch="ext::sh -c cat% /etc/passwd% >/dev/" />
<default revision="refs/heads/master"
remote="ext" />
<project name="stderr" remote="ext" />
</manifest>
git fixed this issue by introducing an GIT_ALLOW_PROTOCOL environment variable
to whitelist the set of allowed protocols for git to use. git-submodule was
modified[1] to be limited to only use the file, git, http, https, and ssh
protocols by default. I suggest you modify repo to also use the same protocol
whitelist by default.
[0] http://marc.info/?l=git&m=144407785714994
[1] https://github.com/git/git/commit/33cfccbbf35a56e190b79bdec5c85457c952a021
Original issue reported on code.google.com by bburky on 12 Oct 2015 at 3:40
Original issue reported on code.google.com by
bburky
on 12 Oct 2015 at 3:40