From patchwork Mon May 1 15:53:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taylor Blau X-Patchwork-Id: 13227599 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B87C0C77B61 for ; Mon, 1 May 2023 15:53:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232369AbjEAPxv (ORCPT ); Mon, 1 May 2023 11:53:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232814AbjEAPxt (ORCPT ); Mon, 1 May 2023 11:53:49 -0400 Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2F021720 for ; Mon, 1 May 2023 08:53:46 -0700 (PDT) Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-b9daef8681fso1637347276.1 for ; Mon, 01 May 2023 08:53:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ttaylorr-com.20221208.gappssmtp.com; s=20221208; t=1682956426; x=1685548426; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=AHCvaMVOKuP5Psy3lUxpAfKZTInr8/mfZ6hebsctOuM=; b=NvEllr3FwO2tBR6VWvRrdsMZVltZKV5Eo5EQt+G8NMG05cKpsfwXPw0feO4LRzr8Nr FZcg79qB72xUUzAKjdEO72AieSEeRil3OIDRLpQzpPUNFozGOVlGIiucJxKW8/OuLuoR zg1wznz2lBsP2vupwK+HZSKCj6Q0GeJQqIY6aGV8MM7kqIMQnHXleQc2yOSTn3V4FcDb rHpVEtzpYEWY4V1p2GgfcIUAH/RKwPw8p9WiXnBzNx3ytdzG+nMt9lmdEMgtkbnUSSUq 2dX35Lxvsk1plMVOi0HcivDK6dc58/l4v3vn0/NHluJOQxgxHYKjpoceRGpfFdMblaab aphA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682956426; x=1685548426; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AHCvaMVOKuP5Psy3lUxpAfKZTInr8/mfZ6hebsctOuM=; b=GXgVzz1Qgyfg9x+3zpgpVkkpdFfL4+ZlawMcTc8pnFJM94N5dTPRuMUYlZ2PHsSWjH W1NmOgXV6UCBl3zyQOM3pgEXAw2LP/wAo+Z0hopny5PPlDQaNVRWVC4qe2LOMhI0Snr4 IWLt2sF4V0ljmsmoejtHQ6xaozLgQNPGR4m8F5nGwfnaLUS9z2Ey8jtDemKEk/C4Niqh nbrxTCtARQ0q6LeENknnWuQ2sKVnav4m++I+nh0/WrEwV2RKorI4jRCStt3jy5JGhgjm BWs5lnwhdI0UEtLh2ELsocAB0BTd1HL1ROvatmSEKP7MGncwbJfbbFSbBH37v2kp+Z8O GFZA== X-Gm-Message-State: AC+VfDzPNvmtppiPX5oUwS2VC/8T2aPuK2QLIrzHGwon7tEtLd1Atn1E dObqjI10V9IvWWa8zkxqoDtvM8Xab2xuGY+4YpWNZQ== X-Google-Smtp-Source: ACHHUZ5rsFeKpMt0TJgNoIZ52tG5G7AoMlSoEFo1Ei37j3H2DY0/CPHAXvlG8K0CkEWgiiP+C8kNhA== X-Received: by 2002:a25:aae4:0:b0:b64:ed42:6124 with SMTP id t91-20020a25aae4000000b00b64ed426124mr14223125ybi.13.1682956425698; Mon, 01 May 2023 08:53:45 -0700 (PDT) Received: from localhost (104-178-186-189.lightspeed.milwwi.sbcglobal.net. [104.178.186.189]) by smtp.gmail.com with ESMTPSA id u7-20020a252e07000000b00b98dbbedb73sm6336631ybu.43.2023.05.01.08.53.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 May 2023 08:53:45 -0700 (PDT) Date: Mon, 1 May 2023 11:53:44 -0400 From: Taylor Blau To: git@vger.kernel.org Cc: Jeff King , Junio C Hamano , Matthew John Cheetham , Johannes Schindelin , Derrick Stolee Subject: [PATCH 0/7] contrib/credential: avoid protocol injection attacks Message-ID: MIME-Version: 1.0 Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org This series addresses a handful of potential protocol injection attacks possible via some of the credential helpers in contrib/credential, and the new "wwwauth[]" directive. The attack is described in complete detail in 2/7, but roughly boils down to using a long line to incur multiple fgets() calls which can treat data in the middle of the line as if it appeared at the beginning. Luckily, all protocol fields part of tagged versions of Git are immune from this attack. Briefly: - "protocol" is restricted to known values - "host" is immune because curl will reject hostnames that have a '=' character in them, which would be required to carry out this attack. - "username", and "path" are immune, because the buffer characters to fill out the first `fgets()` call would pollute the `username`/`path` field, causing the credential helper to return nothing - "password" is immune because providing a password instructs credential helpers to avoid filling credentials in the first place. But the new "wwwauth[]" field does allow this attack to take place. Since these credential helpers are tested via t0303 (which requires some extensive set-up), we opted not to make these fixes during the last embargo period, and instead do them before the "wwwauth[]" feature becomes part of a tagged version. With the additional time, we have been able to verify that the affected credential helpers which are modified in this series all fail the new test before their patches, and pass afterwords. Thanks to Peff for looking at libsecret, Matthew Cheetham for looking at wincred. I looked at osxkeychain. Taylor Blau (7): credential.c: store "wwwauth[]" values in `credential_read()` t/lib-credential.sh: ensure credential helpers handle long headers contrib/credential: avoid fixed-size buffer in osxkeychain contrib/credential: remove 'gnome-keyring' credential helper contrib/credential: .gitignore libsecret build artifacts contrib/credential: avoid fixed-size buffer in libsecret contrib/credential: embiggen fixed-size buffer in wincred contrib/credential/gnome-keyring/.gitignore | 1 - contrib/credential/gnome-keyring/Makefile | 25 - .../git-credential-gnome-keyring.c | 470 ------------------ contrib/credential/libsecret/.gitignore | 1 + .../libsecret/git-credential-libsecret.c | 15 +- .../osxkeychain/git-credential-osxkeychain.c | 10 +- .../wincred/git-credential-wincred.c | 21 +- credential.c | 2 + t/lib-credential.sh | 29 ++ 9 files changed, 63 insertions(+), 511 deletions(-) delete mode 100644 contrib/credential/gnome-keyring/.gitignore delete mode 100644 contrib/credential/gnome-keyring/Makefile delete mode 100644 contrib/credential/gnome-keyring/git-credential-gnome-keyring.c create mode 100644 contrib/credential/libsecret/.gitignore