Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow refs starting with a non-letter or digit #1286

Closed
wants to merge 2 commits into from

Conversation

cgwalters
Copy link
Member

@cgwalters cgwalters commented Oct 18, 2017

Change the regexp for validating refs to require at least one letter or digit
before allowing the other special chars in the set [.-_]. Names that start
with . are traditionally Unix hidden files; let's ignore them under the
assumption they're metadata for some other tool, and we don't want to
potentially conflict with the special . and .. Unix directory entries.
Further, names starting with - are problematic for Unix cmdline option
processing; there's no good reason to support that. Finally, disallow _ just
on general principle - it's simpler to say that ref identifiers must start with
a letter or digit.

We also ignore any existing files (that might be previously created refs) that
start with . in the refs/ directory - there's a Red Hat tool for content
management that injects .rsync files, which is why this patch was first
written.

V1: Update to ban all refs starting with a non-letter/digit, and
also add another call to ostree_validate_rev in the pull
code.

Closes: #1285

Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Though we should also be erroring out when creating such a ref too, right?

# One tool was creating .latest_rsync files in each dir, let's ignore stuff like
# that.
echo '👻' > repo/refs/heads/.spooky_and_hidden
ostree --repo=repo refs > refs.txt
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing ${CMD_PREFIX} here and below!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done ⬇️

@cgwalters
Copy link
Member Author

We already do validate creating refs AFAICS, this is just another tool dropping files in there.

@jlebon
Copy link
Member

jlebon commented Oct 18, 2017

What I mean is:

$ ostree --repo=. init --mode=bare-user
$ mkdir tmp2
$ echo "asdf" > tmp2/asdf
$ ostree commit -b .ref_that_starts_with_dot tmp2
f3c0a7d868d3293f922c3ed0d29b180831e17a8f331d659ed910a8593907640d
$ file refs/heads/.ref_that_starts_with_dot
refs/heads/.ref_that_starts_with_dot: ASCII text

We should have errored out there, right?

Change the regexp for validating refs to require at least one letter or digit
before allowing the other special chars in the set `[.-_]`. Names that start
with `.` are traditionally Unix hidden files; let's ignore them under the
assumption they're metadata for some other tool, and we don't want to
potentially conflict with the special `.` and `..` Unix directory entries.
Further, names starting with `-` are problematic for Unix cmdline option
processing; there's no good reason to support that. Finally, disallow `_` just
on general principle - it's simpler to say that ref identifiers must start with
a letter or digit.

We also ignore any existing files (that might be previously created refs) that
start with `.` in the `refs/` directory - there's a Red Hat tool for content
management that injects `.rsync` files, which is why this patch was first
written.

V1: Update to ban all refs starting with a non-letter/digit, and
    also add another call to `ostree_validate_rev` in the pull
    code.

Closes: ostreedev#1285
@cgwalters cgwalters changed the title lib/refs: Ignore files starting with . in refs/ Disallow refs starting with a non-letter or digit Oct 18, 2017
@cgwalters
Copy link
Member Author

Ah. Yes...well that definitely increases the scope of this, but I think you're right. Reworked in ⬆️

@cgwalters
Copy link
Member Author

Hum, we currently accept anything that GRegex allows as \w\d but...that's a whole lot of stuff in Unicode. I wonder if we shouldn't also restrict to ASCII. But eh...not right now?

Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just one nit.

I wonder if we shouldn't also restrict to ASCII. But eh...not right now?

Yup, agreed.

@@ -3853,6 +3853,8 @@ ostree_repo_pull_with_options (OstreeRepo *self,

while (g_variant_iter_loop (collection_refs_iter, "(&s&s&s)", &collection_id, &ref_name, &checksum))
{
if (!ostree_validate_rev (ref_name, error))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need this in the next else if for refs_to_fetch, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's already one there, no? Line 3879?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops! Indeed.

@jlebon
Copy link
Member

jlebon commented Oct 18, 2017

@rh-atomic-bot r+ 7266b15

@rh-atomic-bot
Copy link

⚡ Test exempted: pull fully rebased and already tested.

@alexlarsson
Copy link
Member

This is breaking stuff in flatpak due to the use of "${remote}:." as argument to ostree_repo_list_refs to find all local refs pulled from a particular remote.

@alexlarsson
Copy link
Member

See flatpak/flatpak#1444

@jlebon
Copy link
Member

jlebon commented Mar 16, 2018

Hmm, we should just be able to support ${remote}: for that, right? Seems cleaner than :..

@jlebon
Copy link
Member

jlebon commented Mar 16, 2018

#1500

mwleeds added a commit to flatpak/flatpak that referenced this pull request Aug 23, 2022
This patch could be important in case the ref arg was maliciously
crafted to try to convince flatpak-system-helper to delete an arbitrary
file on the filesystem. However, in practice (a) recent versions of
libostree will not accept such a ref name which has e.g. "../" in it
thanks to ostreedev/ostree#1286, and (b) even on
ancient versions of Flatpak that use a version of libostree without the
aforementioned patch, the exploit does not appear to be successful, at
least on Debian 9.

See GHSA-45jq-5658-v38x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants