archive: don't let remote clients get unreachable commits

peff · gitster · commit ee27ca4a7818 · 2011-11-21T14:42:25.000-08:00
Usually git is careful not to allow clients to fetch
arbitrary objects from the database; for example, objects
received via upload-pack must be reachable from a ref.
Upload-archive breaks this by feeding the client's tree-ish
directly to get_sha1, which will accept arbitrary hex sha1s,
reflogs, etc.

This is not a problem if all of your objects are publicly
reachable anyway (or at least public to anybody who can run
upload-archive). Or if you are making the repo available by
dumb protocols like http or rsync (in which case the client
can read your whole object db directly).

But for sites which allow access only through smart
protocols, clients may be able to fetch trees from commits
that exist in the server's object database but are not
referenced (e.g., because history was rewound).

This patch tightens upload-archive's lookup to use dwim_ref
rather than get_sha1. This means a remote client can only
fetch the tip of a named ref, not an arbitrary sha1 or
reflog entry.

This also restricts some legitimate requests, too:

  1. Reachable non-tip commits, like:

        git archive --remote=$url v1.0~5

  2. Sub-trees of reachable commits, like:

        git archive --remote=$url v1.7.7:Documentation

Local requests continue to use get_sha1, and are not
restricted at all.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/archive.c b/archive.c
@@ -196,7 +196,8 @@ static void parse_pathspec_arg(const char **pathspec,
 }
 
 static void parse_treeish_arg(const char **argv,
-		struct archiver_args *ar_args, const char *prefix)
+		struct archiver_args *ar_args, const char *prefix,
+		int remote)
 {
 	const char *name = argv[0];
 	const unsigned char *commit_sha1;
@@ -205,8 +206,17 @@ static void parse_treeish_arg(const char **argv,
 	const struct commit *commit;
 	unsigned char sha1[20];
 
-	if (get_sha1(name, sha1))
-		die("Not a valid object name");
+	/* Remotes are only allowed to fetch actual refs */
+	if (remote) {
+		char *ref = NULL;
+		if (!dwim_ref(name, strlen(name), sha1, &ref))
+			die("no such ref: %s", name);
+		free(ref);
+	}
+	else {
+		if (get_sha1(name, sha1))
+			die("Not a valid object name");
+	}
 
 	commit = lookup_commit_reference_gently(sha1, 1);
 	if (commit) {
@@ -324,7 +334,7 @@ static int parse_archive_args(int argc, const char **argv,
 }
 
 int write_archive(int argc, const char **argv, const char *prefix,
-		int setup_prefix)
+		  int setup_prefix, int remote)
 {
 	const struct archiver *ar = NULL;
 	struct archiver_args args;
@@ -333,7 +343,7 @@ int write_archive(int argc, const char **argv, const char *prefix,
 	if (setup_prefix && prefix == NULL)
 		prefix = setup_git_directory();
 
-	parse_treeish_arg(argv, &args, prefix);
+	parse_treeish_arg(argv, &args, prefix, remote);
 	parse_pathspec_arg(argv + 1, &args);
 
 	git_config(git_default_config, NULL);
diff --git a/archive.h b/archive.h
@@ -24,6 +24,7 @@ extern int write_tar_archive(struct archiver_args *);
 extern int write_zip_archive(struct archiver_args *);
 
 extern int write_archive_entries(struct archiver_args *args, write_archive_entry_fn_t write_entry);
-extern int write_archive(int argc, const char **argv, const char *prefix, int setup_prefix);
+extern int write_archive(int argc, const char **argv, const char *prefix,
+			 int setup_prefix, int remote);
 
 #endif	/* ARCHIVE_H */
diff --git a/builtin-archive.c b/builtin-archive.c
@@ -117,5 +117,5 @@ int cmd_archive(int argc, const char **argv, const char *prefix)
 
 	setvbuf(stderr, NULL, _IOLBF, BUFSIZ);
 
-	return write_archive(argc, argv, prefix, 1);
+	return write_archive(argc, argv, prefix, 1, 0);
 }
diff --git a/builtin-upload-archive.c b/builtin-upload-archive.c
@@ -64,7 +64,7 @@ static int run_upload_archive(int argc, const char **argv, const char *prefix)
 	sent_argv[sent_argc] = NULL;
 
 	/* parse all options sent by the client */
-	return write_archive(sent_argc, sent_argv, prefix, 0);
+	return write_archive(sent_argc, sent_argv, prefix, 0, 1);
 }
 
 static void error_clnt(const char *fmt, ...)
diff --git a/t/t5000-tar-tree.sh b/t/t5000-tar-tree.sh
@@ -213,4 +213,12 @@ test_expect_success \
     'git archive --list outside of a git repo' \
     'GIT_DIR=some/non-existing/directory git archive --list'
 
+test_expect_success 'clients cannot access unreachable commits' '
+	test_commit unreachable &&
+	sha1=`git rev-parse HEAD` &&
+	git reset --hard HEAD^ &&
+	git archive $sha1 >remote.tar &&
+	test_must_fail git archive --remote=. $sha1 >remote.tar
+'
+
 test_done

Original file line number	Diff line number	Diff line change
`@@ -117,5 +117,5 @@ int cmd_archive(int argc, const char *argv, const char prefix)`
`117`	`117`
`118`	`118`	`setvbuf(stderr, NULL, _IOLBF, BUFSIZ);`
`119`	`119`
`120`		`- return write_archive(argc, argv, prefix, 1);`
	`120`	`+ return write_archive(argc, argv, prefix, 1, 0);`
`121`	`121`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ static int run_upload_archive(int argc, const char *argv, const char prefix)`
`64`	`64`	`sent_argv[sent_argc] = NULL;`
`65`	`65`
`66`	`66`	`/* parse all options sent by the client */`
`67`		`- return write_archive(sent_argc, sent_argv, prefix, 0);`
	`67`	`+ return write_archive(sent_argc, sent_argv, prefix, 0, 1);`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`static void error_clnt(const char *fmt, ...)`