[PATCH] Sanitize escape char sequences coming from server

Sebastian Kisela <skisela@xxxxxxxxxx> · Thu, 21 Jun 2018 14:10:30 +0200

From: Sebastian Kisela <skisela@xxxxxxxxxx>

Fix volnurability against MITM attacks on client side
by replacing non printable and non white space characters
by "?".

Fixes: CVE-2018-1000021
Signed-off-by: Sebastian Kisela <skisela@xxxxxxxxxx>
---
 sideband.c              | 20 ++++++++++++++++++++
 t/t5401-update-hooks.sh | 23 +++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/sideband.c b/sideband.c
index 325bf0e97..8c9d74ace 100644
--- a/sideband.c
+++ b/sideband.c
@@ -1,3 +1,4 @@
+#include <wchar.h>
 #include "cache.h"
 #include "pkt-line.h"
 #include "sideband.h"
@@ -18,6 +19,20 @@
 #define ANSI_SUFFIX "\033[K"
 #define DUMB_SUFFIX "        "
 
+int sanitize_server_message(struct strbuf *outbuf)
+{
+	wchar_t *wcstring = xmalloc(sizeof(wchar_t) * outbuf->len);
+	int len = mbstowcs(wcstring, outbuf->buf, outbuf->len);
+	if (len == -1)
+		return 1;
+	for(int i = 0; i <= len; i++)
+		if(!isprint(wcstring[i]) && !isspace(wcstring[i]) )
+			wcstring[i] = '?';
+		if (wcstombs(outbuf->buf, wcstring, outbuf->len) == -1)
+			return 1;
+	return 0;
+}
+
 int recv_sideband(const char *me, int in_stream, int out)
 {
 	const char *suffix;
@@ -74,6 +89,9 @@ int recv_sideband(const char *me, int in_stream, int out)
 				} else {
 					strbuf_addch(&outbuf, *brk);
 				}
+
+				if (sanitize_server_message(&outbuf))
+					retval = SIDEBAND_REMOTE_ERROR;
 				xwrite(2, outbuf.buf, outbuf.len);
 				strbuf_reset(&outbuf);
 
@@ -97,6 +115,8 @@ int recv_sideband(const char *me, int in_stream, int out)
 
 	if (outbuf.len) {
 		strbuf_addch(&outbuf, '\n');
+		if (sanitize_server_message(&outbuf))
+			retval = SIDEBAND_REMOTE_ERROR;
 		xwrite(2, outbuf.buf, outbuf.len);
 	}
 	strbuf_release(&outbuf);
diff --git a/t/t5401-update-hooks.sh b/t/t5401-update-hooks.sh
index 7f278d8ce..cc1f6ca29 100755
--- a/t/t5401-update-hooks.sh
+++ b/t/t5401-update-hooks.sh
@@ -148,4 +148,27 @@ test_expect_success 'pre-receive hook that forgets to read its input' '
 	git push ./victim.git "+refs/heads/*:refs/heads/*"
 '
 
+cat <<EOF >expect
+remote: foo?[0;31mbar?[0m
+To ./victim.git
+ * [new branch]      victim_branch -> victim_branch
+EOF
+cat >victim.git/hooks/pre-receive <<'EOF'
+#!/bin/sh
+  printf "foo\033[0;31mbar\033[0m"
+  exit 0
+EOF
+chmod u+x victim.git/hooks/pre-receive
+test_expect_success 'pre-receive stderr contains ANSI colors' '
+	rm -f victim.git/hooks/update victim.git/hooks/post-receive &&
+
+  git branch victim_branch master &&
+	git push ./victim.git "+refs/heads/victim_branch:refs/heads/victim_branch"\
+    >send.out 2>send.err &&
+
+  cat send.err > actual &&
+
+  test_cmp expect actual
+'
+
 test_done
-- 
2.14.4







