mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

close off newline injection attacks against compute special remote protocol

Browse source
This commit is contained in:
Joey Hess 2025-03-11 12:04:58 -04:00
parent 73a8ba5307
commit 0ee644b417
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
2 changed files with 18 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

19
Remote/Compute.hs
View file

@ -56,6 +56,7 @@ import Utility.CopyFile
import Types.Key import Types.Key
import Backend import Backend
import qualified Git import qualified Git
import qualified Utility.OsString as OS
import qualified Utility.FileIO as F import qualified Utility.FileIO as F
import qualified Utility.RawFilePath as R import qualified Utility.RawFilePath as R
import qualified Utility.SimpleProtocol as Proto import qualified Utility.SimpleProtocol as Proto
@ -271,7 +272,9 @@ formatComputeState' mk st = renderQuery False $ concat
parseComputeState :: Key -> B.ByteString -> Maybe ComputeState parseComputeState :: Key -> B.ByteString -> Maybe ComputeState
parseComputeState k b = parseComputeState k b =
let st = go emptycomputestate (parseQuery b) let st = go emptycomputestate (parseQuery b)
in if st == emptycomputestate then Nothing else Just st in if st == emptycomputestate || illegalComputeState st
then Nothing
else Just st
where where
emptycomputestate = ComputeState emptycomputestate = ComputeState
{ computeParams = mempty { computeParams = mempty
@ -317,6 +320,20 @@ parseComputeState k b =
_ -> Nothing _ -> Nothing
in go c' rest in go c' rest
{- This is used to avoid ComputeStates that should never happen,
- but which could be injected into a repository by an attacker. -}
illegalComputeState :: ComputeState -> Bool
illegalComputeState st
-- The protocol is line-based, so filenames used in it cannot
-- contain newlines.
| any containsnewline (M.keys (computeInputs st)) = True
| any containsnewline (M.keys (computeOutputs st)) = True
-- Just in case.
| containsnewline (computeSubdir st) = True
| otherwise = False
where
containsnewline p = unsafeFromChar '\n' `OS.elem` p
{- A compute: url for a given output file of a computation. -} {- A compute: url for a given output file of a computation. -}
computeStateUrl :: Remote -> ComputeState -> OsPath -> URLString computeStateUrl :: Remote -> ComputeState -> OsPath -> URLString
computeStateUrl r st p = computeStateUrl r st p =

4
doc/todo/compute_special_remote_remaining_todos.mdwn
View file

@ -1,10 +1,6 @@
This is the remainder of my todo list while I was building the This is the remainder of my todo list while I was building the
compute special remote. --[[Joey]] compute special remote. --[[Joey]]
* prohibit using compute states where an input or output filename contains
a newline. The protocol doesn't allow this to happen usually, but an
attacker might try it in order to scramble the protocol.
* git-annex responds to each INPUT immediately, and flushes stdout. * git-annex responds to each INPUT immediately, and flushes stdout.
This could cause problems if the program is sending several INPUT This could cause problems if the program is sending several INPUT
first, before reading responses, as is documented it should do to allow first, before reading responses, as is documented it should do to allow