1. 28 Nov, 2018 3 commits
  2. 25 Nov, 2018 2 commits
  3. 21 Nov, 2018 4 commits
    • transport: allow cred/cert callbacks to return GIT_PASSTHROUGH · a2e6e0ea
      Allow credential and certificate checking callbacks to return
      GIT_PASSTHROUGH, indicating that they do not want to act.
      Introduce this to support in both the http and ssh callbacks.
      Additionally, enable the same mechanism for certificate validation.
      
      This is most useful to disambiguate any meaning in the publicly exposed
      credential and certificate functions (`git_transport_smart_credentials`
      and `git_transport_smart_certificate_check`) but it may be more
      generally useful for callers to be able to defer back to libgit2.
      Edward Thomson committed
    • Merge pull request #4884 from libgit2/ethomson/index_iterator · 0e3e832d
      index: introduce git_index_iterator
      Patrick Steinhardt committed
    • Merge pull request #4894 from pks-t/pks/commit-author-oob · 94fce582
      commit: fix out-of-bound reads when parsing truncated author fields
      Edward Thomson committed
    • commit: fix out-of-bound reads when parsing truncated author fields · cb23c3ef
      While commit objects usually should have only one author field, our commit
      parser actually handles the case where a commit has multiple author fields
      because some tools that exist in the wild actually write them. Detection of
      those additional author fields is done by using a simple `git__prefixcmp`,
      checking whether the current line starts with the string "author ". In case
      where we are handed a non-NUL-terminated string that ends directly after the
      space, though, we may have an out-of-bounds read of one byte when trying to
      compare the expected final NUL byte.
      
      Fix the issue by using `git__prefixncmp` instead of `git_prefixcmp`.
      Unfortunately, a test cannot be easily written to catch this case. While we
      could test the last error message and verify that it didn't in fact fail parsing
      a signature (because that would indicate that it has in fact tried to parse the
      additional "author " field, which it shouldn't be able to detect in the first
      place), this doesn't work as the next line needs to be the "committer" field,
      which would error out with the same error message even if we hadn't done an
      out-of-bounds read.
      
      As objects read from the object database are always NUL terminated, this issue
      cannot be triggered in normal code and thus it's not security critical.
      Patrick Steinhardt committed
  4. 18 Nov, 2018 7 commits
  5. 15 Nov, 2018 2 commits
  6. 14 Nov, 2018 4 commits
    • index: introduce git_index_iterator · c358bbc5
      Provide a public git_index_iterator API that is backed by an index
      snapshot.  This allows consumers to provide a stable iteration even
      while manipulating the index during iteration.
      Edward Thomson committed
    • Merge pull request #4886 from pks-t/pks/strntol-truncate-leading-sign · 9189a66a
      strntol: fix out-of-bounds reads when parsing numbers with leading sign
      Edward Thomson committed
    • patch_parse: remove unused function `parse_number` · 4b84db6a
      The function `parse_number` was replaced by `git_parse_advance_digit`
      which is provided by the parser interface in commit 252f2eee (parse:
      implement and use `git_parse_advance_digit`, 2017-07-14). As there are
      no remaining callers, remove it.
      Patrick Steinhardt committed
    • strntol: fix out-of-bounds reads when parsing numbers with leading sign · 4209a512
      When parsing a number, we accept a leading plus or minus sign to return
      a positive or negative number. When the parsed string has such a leading
      sign, we set up a flag indicating that the number is negative and
      advance the pointer to the next character in that string. This misses
      updating the number of bytes in the string, though, which is why the
      parser may later on do an out-of-bounds read.
      
      Fix the issue by correctly updating both the pointer and the number of
      remaining bytes. Furthermore, we need to check whether we actually have
      any bytes left after having advanced the pointer, as otherwise the
      auto-detection of the base may do an out-of-bonuds access. Add a test
      that detects the out-of-bound read.
      
      Note that this is not actually security critical. While there are a lot
      of places where the function is called, all of these places are guarded
      or irrelevant:
      
      - commit list: this operates on objects from the ODB, which are always
        NUL terminated any may thus not trigger the off-by-one OOB read.
      
      - config: the configuration is NUL terminated.
      
      - curl stream: user input is being parsed that is always NUL terminated
      
      - index: the index is read via `git_futils_readbuffer`, which always NUL
        terminates it.
      
      - loose objects: used to parse the length from the object's header. As
        we check previously that the buffer contains a NUL byte, this is safe.
      
      - rebase: this parses numbers from the rebase instruction sheet. As the
        rebase code uses `git_futils_readbuffer`, the buffer is always NUL
        terminated.
      
      - revparse: this parses a user provided buffer that is NUL terminated.
      
      - signature: this parser the header information of objects. As objects
        read from the ODB are always NUL terminated, this is a non-issue. The
        constructor `git_signature_from_buffer` does not accept a length
        parameter for the buffer, so the buffer needs to be NUL terminated, as
        well.
      
      - smart transport: the buffer that is parsed is NUL terminated
      
      - tree cache: this parses the tree cache from the index extension. The
        index itself is read via `git_futils_readbuffer`, which always NUL
        terminates it.
      
      - winhttp transport: user input is being parsed that is always NUL
        terminated
      Patrick Steinhardt committed
  7. 13 Nov, 2018 7 commits
  8. 11 Nov, 2018 1 commit
  9. 10 Nov, 2018 1 commit
  10. 09 Nov, 2018 3 commits
    • transport/http: Include non-default ports in Host header · 83b35181
      When the port is omitted, the server assumes the default port for the
      service is used (see
      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host). In
      cases where the client provided a non-default port, it should be passed
      along.
      
      This hasn't been an issue so far as the git protocol doesn't include
      server-generated URIs. I encountered this when implementing Rust
      registry support for Sonatype Nexus. Rust's registry uses a git
      repository for the package index. Clients look at a file in the root of
      the package index to find the base URL for downloading the packages.
      Sonatype Nexus looks at the incoming HTTP request (Host header and URL)
      to determine the client-facing URL base as it may be running behind a
      load balancer or reverse proxy. This client-facing URL base is then used
      to construct the package download base URL. When libgit2 fetches the
      index from Nexus on a non-default port, Nexus trusts the incorrect Host
      header and generates an incorrect package download base URL.
      Rick Altherr committed
    • netops: add method to return default http port for a connection · 58b60fcc
      Constant strings and logic for HTTP(S) default ports were starting to be
      spread throughout netops.c.  Instead of duplicating this again to
      determine if a Host header should include the port, move the default
      port constants and logic into an internal method in netops.{c,h}.
      Rick Altherr committed
    • signature: fix out-of-bounds read when parsing timezone offset · 52f859fd
      When parsing a signature's timezone offset, we first check whether there
      is a timezone at all by verifying that there are still bytes left to
      read following the time itself. The check thus looks like `time_end + 1
      < buffer_end`, which is actually correct in this case. After setting the
      timezone's start pointer to that location, we compute the remaining
      bytes by using the formula `buffer_end - tz_start + 1`, re-using the
      previous `time_end + 1`. But this is in fact missing the braces around
      `(tz_start + 1)`, thus leading to an overestimation of the remaining
      bytes by a length of two. In case of a non-NUL terminated buffer, this
      will result in an overflow.
      
      The function `git_signature__parse` is only used in two locations. First
      is `git_signature_from_buffer`, which only accepts a string without a
      length. The string thus necessarily has to be NUL terminated and cannot
      trigger the issue.
      
      The other function is `git_commit__parse_raw`, which can in fact trigger
      the error as it may receive non-NUL terminated commit data. But as
      objects read from the ODB are always NUL-terminated by us as a
      cautionary measure, it cannot trigger the issue either.
      
      In other words, this error does not have any impact on security.
      Patrick Steinhardt committed
  11. 07 Nov, 2018 2 commits
    • smart transport: only clear url on hard reset · 9ad96367
      After creating a transport for a server, we expect to be able to call
      `connect`, then invoke subsequent `action` calls.  We provide the URL to
      these `action` calls, although our built-in transports happen to ignore
      it since they've already parsed it into an internal format that they
      intend to use (`gitno_connection_data`).
      
      In ca2eb460, we began clearing the URL
      field after a connection, meaning that subsequent calls to transport
      `action` callbacks would get a NULL URL, which went undetected since the
      builtin transports ignore the URL when they're already connected
      (instead of re-parsing it into an internal format).
      
      Downstream custom transport implementations (eg, LibGit2Sharp) did
      notice this change, however.
      
      Since `reset_stream` is called even when we're not closing the
      subtransport, update to only clear the URL when we're closing the
      subtransport.  This ensures that `action` calls will get the correct URL
      information even after a connection.
      Edward Thomson committed
  12. 05 Nov, 2018 4 commits
    • apply: test re-adding a file after removing it · f8b9493b
      Ensure that we can add a file back after it's been removed.  Update the
      renamed/deleted validation in application to not apply to deltas that
      are adding files to support this.
      Edward Thomson committed
    • apply: test modifying a file after renaming it · 78580ad3
      Ensure that we cannot modify a file after it's been renamed out of the
      way.  If multiple deltas exist for a single path, ensure that we do not
      attempt to modify a file after it's been renamed out of the way.
      
      To support this, we must track the paths that have been removed or
      renamed; add to a string map when we remove a path and remove from the
      string map if we recreate a path.  Validate that we are not applying to
      a path that is in this map, unless the delta is a rename, since git
      supports renaming one file to two different places in two different
      deltas.
      
      Further, test that we cannot apply a modification delta to a path that
      will be created in the future by a rename (a path that does not yet
      exist.)
      Edward Thomson committed
    • apply: test renaming a file after modifying it · 605066ee
      Multiple deltas can exist in a diff, and can be applied in-order.
      If there exists a delta that modifies a file followed by a delta that
      renames that file, then both will be captured.  The modification delta
      will be applied and the resulting file will be staged with the original
      filename.  The rename delta will be independently applied - to the
      original file (not the modified file from the original delta) and staged
      independently.
      Edward Thomson committed