mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-18 19:40:55 +01:00
a7921a4448
Summary: Ref T13012. These flags can be exploited by attackers to execute code remotely. See T13012 for discussion and context. Additionally, harden some Mercurial commands where possible (by using additional quoting or embedding arguments in other constructs) so they resist these flags and behave properly when passed arguments with these values. Test Plan: - Added unit tests. - Verified "--config" and "--debugger" commands are rejected. - Verified more commands now work properly even with branches and files named `--debugger`, although not all of them do. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13012 Differential Revision: https://secure.phabricator.com/D18769
93 lines
2.9 KiB
PHP
93 lines
2.9 KiB
PHP
<?php
|
|
|
|
final class DiffusionMercurialCommandEngine
|
|
extends DiffusionCommandEngine {
|
|
|
|
protected function canBuildForRepository(
|
|
PhabricatorRepository $repository) {
|
|
return $repository->isHg();
|
|
}
|
|
|
|
protected function newFormattedCommand($pattern, array $argv) {
|
|
$args = array();
|
|
|
|
// Crudely blacklist commands which look like they may contain command
|
|
// injection via "--config" or "--debugger". See T13012. To do this, we
|
|
// print the whole command, parse it using shell rules, then examine each
|
|
// argument to see if it looks like "--config" or "--debugger".
|
|
|
|
$test_command = call_user_func_array(
|
|
'csprintf',
|
|
array_merge(array($pattern), $argv));
|
|
$test_args = id(new PhutilShellLexer())
|
|
->splitArguments($test_command);
|
|
|
|
foreach ($test_args as $test_arg) {
|
|
if (preg_match('/^--(config|debugger)/i', $test_arg)) {
|
|
throw new DiffusionMercurialFlagInjectionException(
|
|
pht(
|
|
'Mercurial command appears to contain unsafe injected "--config" '.
|
|
'or "--debugger": %s',
|
|
$test_command));
|
|
}
|
|
}
|
|
|
|
// NOTE: Here, and in Git and Subversion, we override the SSH command even
|
|
// if the repository does not use an SSH remote, since our SSH wrapper
|
|
// defuses an attack against older versions of Mercurial, Git and
|
|
// Subversion (see T12961) and it's possible to execute this attack
|
|
// in indirect ways, like by using an SSH subrepo inside an HTTP repo.
|
|
|
|
$pattern = "hg --config ui.ssh=%s {$pattern}";
|
|
$args[] = $this->getSSHWrapper();
|
|
|
|
return array($pattern, array_merge($args, $argv));
|
|
}
|
|
|
|
protected function newCustomEnvironment() {
|
|
$env = array();
|
|
|
|
// NOTE: This overrides certain configuration, extensions, and settings
|
|
// which make Mercurial commands do random unusual things.
|
|
$env['HGPLAIN'] = 1;
|
|
|
|
return $env;
|
|
}
|
|
|
|
/**
|
|
* Sanitize output of an `hg` command invoked with the `--debug` flag to make
|
|
* it usable.
|
|
*
|
|
* @param string Output from `hg --debug ...`
|
|
* @return string Usable output.
|
|
*/
|
|
public static function filterMercurialDebugOutput($stdout) {
|
|
// When hg commands are run with `--debug` and some config file isn't
|
|
// trusted, Mercurial prints out a warning to stdout, twice, after Feb 2011.
|
|
//
|
|
// http://selenic.com/pipermail/mercurial-devel/2011-February/028541.html
|
|
//
|
|
// After Jan 2015, it may also fail to write to a revision branch cache.
|
|
|
|
$ignore = array(
|
|
'ignoring untrusted configuration option',
|
|
"couldn't write revision branch cache:",
|
|
);
|
|
|
|
foreach ($ignore as $key => $pattern) {
|
|
$ignore[$key] = preg_quote($pattern, '/');
|
|
}
|
|
|
|
$ignore = '('.implode('|', $ignore).')';
|
|
|
|
$lines = preg_split('/(?<=\n)/', $stdout);
|
|
$regex = '/'.$ignore.'.*\n$/';
|
|
|
|
foreach ($lines as $key => $line) {
|
|
$lines[$key] = preg_replace($regex, '', $line);
|
|
}
|
|
|
|
return implode('', $lines);
|
|
}
|
|
|
|
}
|