2016-04-18 15:22:52 -07:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
final class DiffusionMercurialCommandEngine
|
|
|
|
|
extends DiffusionCommandEngine {
|
|
|
|
|
|
|
|
|
|
protected function canBuildForRepository(
|
|
|
|
|
PhabricatorRepository $repository) {
|
|
|
|
|
return $repository->isHg();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected function newFormattedCommand($pattern, array $argv) {
|
|
|
|
|
$args = array();
|
|
|
|
|
|
2017-11-09 07:23:40 -08:00
|
|
|
// Crudely blacklist commands which look like they may contain command
|
|
|
|
|
// injection via "--config" or "--debugger". See T13012. To do this, we
|
|
|
|
|
// print the whole command, parse it using shell rules, then examine each
|
|
|
|
|
// argument to see if it looks like "--config" or "--debugger".
|
|
|
|
|
|
|
|
|
|
$test_command = call_user_func_array(
|
|
|
|
|
'csprintf',
|
|
|
|
|
array_merge(array($pattern), $argv));
|
|
|
|
|
$test_args = id(new PhutilShellLexer())
|
|
|
|
|
->splitArguments($test_command);
|
|
|
|
|
|
|
|
|
|
foreach ($test_args as $test_arg) {
|
|
|
|
|
if (preg_match('/^--(config|debugger)/i', $test_arg)) {
|
|
|
|
|
throw new DiffusionMercurialFlagInjectionException(
|
|
|
|
|
pht(
|
|
|
|
|
'Mercurial command appears to contain unsafe injected "--config" '.
|
|
|
|
|
'or "--debugger": %s',
|
|
|
|
|
$test_command));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Pass SSH wrappers to VCS commands unconditonally, not just if there's an SSH remote
Summary:
Ref T12961. In Mercurial, it's possible to have "subrepos" which may use a different protocol than the main repository.
By putting an SSH repository inside an HTTP repository, an attacker can theoretically get us to execute `hg` without overriding `ui.ssh`, then execute code via the SSH hostname attack.
As an immediate mitigation to this attack, specify `ui.ssh` unconditionally. Normally, this will have no effect (it will just be ignored). In the specific case of an SSH repo inside an HTTP repo, it will defuse the `ssh` protocol.
For good measure and consistency, do the same for Subversion and Git. However, we don't normally maintain working copies for either Subversion or Git so it's unlikely that similar attacks exist there.
Test Plan:
- Put an SSH subrepo with an attack URI inside an HTTP outer repo in Mercurial.
- Ran `hg up` with and without `ui.ssh` specified.
- Got dangerous badness without `ui.ssh` and safe `ssh` subprocesses with `ui.ssh`.
I'm not yet able to confirm that `hg pull -u -- <uri>` can actually trigger this, but this can't hurt and our SSH wrapper is safer than the native behavior for all Subversion, Git and Mercurial versions released prior to today.
Reviewers: chad
Reviewed By: chad
Subscribers: cspeckmim
Maniphest Tasks: T12961
Differential Revision: https://secure.phabricator.com/D18389
2017-08-10 17:04:11 -07:00
|
|
|
// NOTE: Here, and in Git and Subversion, we override the SSH command even
|
|
|
|
|
// if the repository does not use an SSH remote, since our SSH wrapper
|
|
|
|
|
// defuses an attack against older versions of Mercurial, Git and
|
|
|
|
|
// Subversion (see T12961) and it's possible to execute this attack
|
|
|
|
|
// in indirect ways, like by using an SSH subrepo inside an HTTP repo.
|
|
|
|
|
|
|
|
|
|
$pattern = "hg --config ui.ssh=%s {$pattern}";
|
|
|
|
|
$args[] = $this->getSSHWrapper();
|
2016-04-18 15:22:52 -07:00
|
|
|
|
|
|
|
|
return array($pattern, array_merge($args, $argv));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected function newCustomEnvironment() {
|
|
|
|
|
$env = array();
|
|
|
|
|
|
|
|
|
|
// NOTE: This overrides certain configuration, extensions, and settings
|
|
|
|
|
// which make Mercurial commands do random unusual things.
|
|
|
|
|
$env['HGPLAIN'] = 1;
|
|
|
|
|
|
|
|
|
|
return $env;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sanitize output of an `hg` command invoked with the `--debug` flag to make
|
|
|
|
|
* it usable.
|
|
|
|
|
*
|
|
|
|
|
* @param string Output from `hg --debug ...`
|
|
|
|
|
* @return string Usable output.
|
|
|
|
|
*/
|
|
|
|
|
public static function filterMercurialDebugOutput($stdout) {
|
|
|
|
|
// When hg commands are run with `--debug` and some config file isn't
|
|
|
|
|
// trusted, Mercurial prints out a warning to stdout, twice, after Feb 2011.
|
|
|
|
|
//
|
|
|
|
|
// http://selenic.com/pipermail/mercurial-devel/2011-February/028541.html
|
|
|
|
|
//
|
|
|
|
|
// After Jan 2015, it may also fail to write to a revision branch cache.
|
|
|
|
|
|
|
|
|
|
$ignore = array(
|
|
|
|
|
'ignoring untrusted configuration option',
|
|
|
|
|
"couldn't write revision branch cache:",
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
foreach ($ignore as $key => $pattern) {
|
|
|
|
|
$ignore[$key] = preg_quote($pattern, '/');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$ignore = '('.implode('|', $ignore).')';
|
|
|
|
|
|
|
|
|
|
$lines = preg_split('/(?<=\n)/', $stdout);
|
|
|
|
|
$regex = '/'.$ignore.'.*\n$/';
|
|
|
|
|
|
|
|
|
|
foreach ($lines as $key => $line) {
|
|
|
|
|
$lines[$key] = preg_replace($regex, '', $line);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return implode('', $lines);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|