ruby-changes:70097
From: David <ko1@a...>
Date: Tue, 7 Dec 2021 23:28:16 +0900 (JST)
Subject: [ruby-changes:70097] 26303c31f0 (master): [rubygems/rubygems] Pass "--" to git commands to separate positional and optional args
https://git.ruby-lang.org/ruby.git/commit/?id=26303c31f0 From 26303c31f0939d093f88f609c846590ad538114f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@r...> Date: Sat, 13 Nov 2021 11:18:54 +0100 Subject: [rubygems/rubygems] Pass "--" to git commands to separate positional and optional args To make sure git uri's specified in Gemfile are never misinterpreted as optional arguments, potentially allowing for local code execution. https://github.com/rubygems/rubygems/commit/90b1ed8b9f --- lib/bundler/source/git/git_proxy.rb | 4 ++-- spec/bundler/bundler/source/git/git_proxy_spec.rb | 28 +++++++++++++++++++---- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb index e37ff8724a3..745a7fe118f 100644 --- a/lib/bundler/source/git/git_proxy.rb +++ b/lib/bundler/source/git/git_proxy.rb @@ -95,12 +95,12 @@ module Bundler https://github.com/ruby/ruby/blob/trunk/lib/bundler/source/git/git_proxy.rb#L95 SharedHelpers.filesystem_access(path.dirname) do |p| FileUtils.mkdir_p(p) end - git_retry "clone", configured_uri, path.to_s, "--bare", "--no-hardlinks", "--quiet" + git_retry "clone", "--bare", "--no-hardlinks", "--quiet", "--", configured_uri, path.to_s return unless extra_ref end with_path do - git_retry(*["fetch", "--force", "--quiet", "--tags", configured_uri, "refs/heads/*:refs/heads/*", extra_ref].compact, :dir => path) + git_retry(*["fetch", "--force", "--quiet", "--tags", "--", configured_uri, "refs/heads/*:refs/heads/*", extra_ref].compact, :dir => path) end end diff --git a/spec/bundler/bundler/source/git/git_proxy_spec.rb b/spec/bundler/bundler/source/git/git_proxy_spec.rb index 97f06973cb8..cffd72cc3f0 100644 --- a/spec/bundler/bundler/source/git/git_proxy_spec.rb +++ b/spec/bundler/bundler/source/git/git_proxy_spec.rb @@ -11,21 +11,21 @@ RSpec.describe Bundler::Source::Git::GitProxy do https://github.com/ruby/ruby/blob/trunk/spec/bundler/bundler/source/git/git_proxy_spec.rb#L11 context "with configured credentials" do it "adds username and password to URI" do Bundler.settings.temporary(uri => "u:p") do - expect(subject).to receive(:git_retry).with("clone", "https://u:p@g.../rubygems/rubygems.git", any_args) + expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", "https://u:p@g.../rubygems/rubygems.git", path.to_s) subject.checkout end end it "adds username and password to URI for host" do Bundler.settings.temporary("github.com" => "u:p") do - expect(subject).to receive(:git_retry).with("clone", "https://u:p@g.../rubygems/rubygems.git", any_args) + expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", "https://u:p@g.../rubygems/rubygems.git", path.to_s) subject.checkout end end it "does not add username and password to mismatched URI" do Bundler.settings.temporary("https://u:p@g.../rubygems/rubygems-mismatch.git" => "u:p") do - expect(subject).to receive(:git_retry).with("clone", uri, any_args) + expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", uri, path.to_s) subject.checkout end end @@ -34,7 +34,7 @@ RSpec.describe Bundler::Source::Git::GitProxy do https://github.com/ruby/ruby/blob/trunk/spec/bundler/bundler/source/git/git_proxy_spec.rb#L34 Bundler.settings.temporary("github.com" => "u:p") do original = "https://orig:info@g.../rubygems/rubygems.git" subject = described_class.new(Pathname("path"), original, "HEAD") - expect(subject).to receive(:git_retry).with("clone", original, any_args) + expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", original, path.to_s) subject.checkout end end @@ -148,4 +148,24 @@ RSpec.describe Bundler::Source::Git::GitProxy do https://github.com/ruby/ruby/blob/trunk/spec/bundler/bundler/source/git/git_proxy_spec.rb#L148 end end end + + it "doesn't allow arbitrary code execution through Gemfile uris with a leading dash" do + gemfile <<~G + gem "poc", git: "-u./pay:load.sh" + G + + file = bundled_app("pay:load.sh") + + create_file file, <<~RUBY + #!/bin/sh + + touch #{bundled_app("canary")} + RUBY + + FileUtils.chmod("+x", file) + + bundle :lock, :raise_on_error => false + + expect(Pathname.new(bundled_app("canary"))).not_to exist + end end -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/