recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Pass SSH wrappers to VCS commands unconditonally, not just if there's an SSH remote

Summary:
Ref T12961. In Mercurial, it's possible to have "subrepos" which may use a different protocol than the main repository.

By putting an SSH repository inside an HTTP repository, an attacker can theoretically get us to execute `hg` without overriding `ui.ssh`, then execute code via the SSH hostname attack.

As an immediate mitigation to this attack, specify `ui.ssh` unconditionally. Normally, this will have no effect (it will just be ignored). In the specific case of an SSH repo inside an HTTP repo, it will defuse the `ssh` protocol.

For good measure and consistency, do the same for Subversion and Git. However, we don't normally maintain working copies for either Subversion or Git so it's unlikely that similar attacks exist there.

Test Plan:
- Put an SSH subrepo with an attack URI inside an HTTP outer repo in Mercurial.
- Ran `hg up` with and without `ui.ssh` specified.
- Got dangerous badness without `ui.ssh` and safe `ssh` subprocesses with `ui.ssh`.

I'm not yet able to confirm that `hg pull -u -- <uri>` can actually trigger this, but this can't hurt and our SSH wrapper is safer than the native behavior for all Subversion, Git and Mercurial versions released prior to today.

Reviewers: chad

Reviewed By: chad

Subscribers: cspeckmim

Maniphest Tasks: T12961

Differential Revision: https://secure.phabricator.com/D18389

epriestley 794e185b 0860b7f2

+12 -14
+1 -3
src/applications/diffusion/protocol/DiffusionGitCommandEngine.php
··· 26 26 27 27 $env['HOME'] = PhabricatorEnv::getEmptyCWD(); 28 28 29 - if ($this->isAnySSHProtocol()) { 30 - $env['GIT_SSH'] = $this->getSSHWrapper(); 31 - } 29 + $env['GIT_SSH'] = $this->getSSHWrapper(); 32 30 33 31 if ($this->isAnyHTTPProtocol()) { 34 32 $uri = $this->getURI();
+8 -6
src/applications/diffusion/protocol/DiffusionMercurialCommandEngine.php
··· 11 11 protected function newFormattedCommand($pattern, array $argv) { 12 12 $args = array(); 13 13 14 - if ($this->isAnySSHProtocol()) { 15 - $pattern = "hg --config ui.ssh=%s {$pattern}"; 16 - $args[] = $this->getSSHWrapper(); 17 - } else { 18 - $pattern = "hg {$pattern}"; 19 - } 14 + // NOTE: Here, and in Git and Subversion, we override the SSH command even 15 + // if the repository does not use an SSH remote, since our SSH wrapper 16 + // defuses an attack against older versions of Mercurial, Git and 17 + // Subversion (see T12961) and it's possible to execute this attack 18 + // in indirect ways, like by using an SSH subrepo inside an HTTP repo. 19 + 20 + $pattern = "hg --config ui.ssh=%s {$pattern}"; 21 + $args[] = $this->getSSHWrapper(); 20 22 21 23 return array($pattern, array_merge($args, $argv)); 22 24 }
+1 -3
src/applications/diffusion/protocol/DiffusionSubversionCommandEngine.php
··· 44 44 protected function newCustomEnvironment() { 45 45 $env = array(); 46 46 47 - if ($this->isAnySSHProtocol()) { 48 - $env['SVN_SSH'] = $this->getSSHWrapper(); 49 - } 47 + $env['SVN_SSH'] = $this->getSSHWrapper(); 50 48 51 49 return $env; 52 50 }
+2 -2
src/applications/diffusion/protocol/__tests__/DiffusionCommandEngineTestCase.php
··· 26 26 )); 27 27 28 28 $this->assertCommandEngineFormat( 29 - 'hg xyz', 29 + (string)csprintf('hg --config ui.ssh=%s xyz', $ssh_wrapper), 30 30 array( 31 31 'LANG' => 'en_US.UTF-8', 32 32 'HGPLAIN' => '1', ··· 102 102 )); 103 103 104 104 $this->assertCommandEngineFormat( 105 - 'hg xyz', 105 + (string)csprintf('hg --config ui.ssh=%s xyz', $ssh_wrapper), 106 106 array( 107 107 'LANG' => 'en_US.UTF-8', 108 108 'HGPLAIN' => '1',