t0411: add tests for cloning from partial repo

filip-hejsek · dscho · commit 5c5a4a1c0593 · 2024-04-17T22:29:53.000+02:00
Cloning from a partial repository must not fetch missing objects into
the partial repository, because that can lead to arbitrary code
execution.

Add a couple of test cases, pretending to the `upload-pack` command (and
to that command only) that it is working on a repository owned by
someone else.

Helped-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Filip Hejsek &lt;filip.hejsek@gmail.com&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/t/t0411-clone-from-partial.sh b/t/t0411-clone-from-partial.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+test_description='check that local clone does not fetch from promisor remotes'
+
+. ./test-lib.sh
+
+test_expect_success 'create evil repo' '
+	git init tmp &&
+	test_commit -C tmp a &&
+	git -C tmp config uploadpack.allowfilter 1 &&
+	git clone --filter=blob:none --no-local --no-checkout tmp evil &&
+	rm -rf tmp &&
+
+	git -C evil config remote.origin.uploadpack \"\$TRASH_DIRECTORY/fake-upload-pack\" &&
+	write_script fake-upload-pack <<-\EOF &&
+		echo >&2 "fake-upload-pack running"
+		>"$TRASH_DIRECTORY/script-executed"
+		exit 1
+	EOF
+	export TRASH_DIRECTORY &&
+
+	# empty shallow file disables local clone optimization
+	>evil/.git/shallow
+'
+
+test_expect_failure 'local clone must not fetch from promisor remote and execute script' '
+	rm -f script-executed &&
+	test_must_fail git clone \
+		--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
+		evil clone1 2>err &&
+	! grep "fake-upload-pack running" err &&
+	test_path_is_missing script-executed
+'
+
+test_expect_failure 'clone from file://... must not fetch from promisor remote and execute script' '
+	rm -f script-executed &&
+	test_must_fail git clone \
+		--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
+		"file://$(pwd)/evil" clone2 2>err &&
+	! grep "fake-upload-pack running" err &&
+	test_path_is_missing script-executed
+'
+
+test_expect_failure 'fetch from file://... must not fetch from promisor remote and execute script' '
+	rm -f script-executed &&
+	test_must_fail git fetch \
+		--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
+		"file://$(pwd)/evil" 2>err &&
+	! grep "fake-upload-pack running" err &&
+	test_path_is_missing script-executed
+'
+
+test_expect_success 'pack-objects should fetch from promisor remote and execute script' '
+	rm -f script-executed &&
+	echo "HEAD" | test_must_fail git -C evil pack-objects --revs --stdout >/dev/null 2>err &&
+	grep "fake-upload-pack running" err &&
+	test_path_is_file script-executed
+'
+
+test_done
