Friday, June 1, 2018

[02] 路径穿越导致文件覆盖或非预期操作

https://github.com/Rogdham/CVE-2018-11235
https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/

When you clone it with the –recurse-submodules flag, the evil script is executed:

$ git clone --recurse-submodules repo dest_dir
Cloning into 'dest_dir'...
done.
Submodule 'Spoon-Knife' (https://github.com/octocat/Spoon-Knife) registered for path 'Spoon-Knife'
Submodule '../../modules/evil' (https://github.com/octocat/Spoon-Knife) registered for path 'evil'
Cloning into '/snip/dest_dir/Spoon-Knife'...
Submodule path 'Spoon-Knife': checked out 'd0dd1f61b33d64e29d8bc1372a94ef6a2fee76a9'

sub module 包含 ../ 时,会发生路径穿越 ‘../../modules/evil’ ,将内容写入其他目录,并因此修改git的配置文件,执行远程代码。

修正:https://github.com/git/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44 (submodule-config: verify submodule names as paths)
检查路径中的../