worktree: Don't allow .gitmodules to be a symlink. Fixes CVE-2018-11235

References: * https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/ * https://security-tracker.debian.org/tracker/CVE-2018-11235 * git/git@10ecfa7 Signed-off-by: Joseph Vusich <[email protected]>
jpeletier · May 30, 2018 · d87faec · d87faec
1 parent 79b7f24
commit d87faec
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/submodule_test.go b/submodule_test.go
@@ -196,6 +196,21 @@ func (s *SubmoduleSuite) TestSubmodulesInit(c *C) {
 	}
 }
 
+func (s *SubmoduleSuite) TestGitSubmodulesSymlink(c *C) {
+	f, err := s.Worktree.Filesystem.Create("badfile")
+	c.Assert(err, IsNil)
+	defer f.Close()
+
+	err = s.Worktree.Filesystem.Remove(gitmodulesFile)
+	c.Assert(err, IsNil)
+
+	err = s.Worktree.Filesystem.Symlink("badfile", gitmodulesFile)
+	c.Assert(err, IsNil)
+
+	_, err = s.Worktree.Submodules()
+	c.Assert(err, Equals, ErrGitModulesSymlink)
+}
+
 func (s *SubmoduleSuite) TestSubmodulesStatus(c *C) {
 	sm, err := s.Worktree.Submodules()
 	c.Assert(err, IsNil)

diff --git a/worktree.go b/worktree.go
@@ -28,6 +28,7 @@ var (
 	ErrWorktreeNotClean  = errors.New("worktree is not clean")
 	ErrSubmoduleNotFound = errors.New("submodule not found")
 	ErrUnstagedChanges   = errors.New("worktree contains unstaged changes")
+	ErrGitModulesSymlink = errors.New(gitmodulesFile + " is a symlink")
 )
 
 // Worktree represents a git worktree.
@@ -680,7 +681,18 @@ func (w *Worktree) newSubmodule(fromModules, fromConfig *config.Submodule) *Subm
 	return m
 }
 
+func (w *Worktree) isSymlink(path string) bool {
+	if s, err := w.Filesystem.Lstat(path); err == nil {
+		return s.Mode()&os.ModeSymlink != 0
+	}
+	return false
+}
+
 func (w *Worktree) readGitmodulesFile() (*config.Modules, error) {
+	if w.isSymlink(gitmodulesFile) {
+		return nil, ErrGitModulesSymlink
+	}
+
 	f, err := w.Filesystem.Open(gitmodulesFile)
 	if err != nil {
 		if os.IsNotExist(err) {