←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
348 points dgl | 6 comments | 08 Jul 25 17:48 UTC | HN request time: 0.583s | source | bottom
1. dwheeler ◴[08 Jul 25 21:18 UTC] No.44504152[source]
Ah yes, yet ANOTHER vulnerability caused because Linux and most Unixes allow control characters in filenames. This ability's primary purpose appears to be to enable attacks and to make it significantly more difficult to write correct code. For example, you're not supposed to exchange filenames a line at a time, since filenames can contain newlines.

See my discussion here: https://dwheeler.com/essays/fixing-unix-linux-filenames.html

One piece of good news: POSIX recently added xargs -0 and find -print0, making it a little easier to portably handle such filenames. Still, it's a pain.

I plan to complete my "safename" Linux module I started years ago. When enabled, it prevents creating filenames in certain cases such as those with control characters. It won't prevent all problems, but it's a decent hardening mechanism that prevents problems in many cases.

replies(2): >>44504259 #>>44506119 #
2. layer8 ◴[08 Jul 25 21:34 UTC] No.44504259[source]
You can get similar vulnerabilities with Unicode normalization, with mismatched code pages/character encodings, or, as the article points out, with a case-insensitive file system. That's not to say that control characters should be allowed in file names, but there's an inherent risk whenever byte sequences are being decoded or normalized into something else.
replies(1): >>44504969 #
3. dwheeler ◴[08 Jul 25 23:32 UTC] No.44504969[source]
Not to the same degree, though, and the arguments for status quo are especially weak. There are reasonable arguments pro and con case-insensitive filenames. Character encoding issues are dwindling, since most systems just use utf-8 for filename encoding (as there is no mechanism for indicating the encoding of each specific filename), and using utf-8 consistently in filenames supports filenames in arbitrary languages.

Control characters in filenames have no obviously valuable use case, they appear to be allowed only because "it's always been allowed". That is not a strong argument for them. Some systems do not allow them, with no obvious ill effects.

4. Cloudef ◴[09 Jul 25 03:34 UTC] No.44506119[source]
I think better idea is to make git use user namespaces and sandbox itself to the clone directory so it literally cannot write/read outside of it. This prevents path traversal attacks and limits the amount of damage RCE could do. Filenames really aren't the problem.
replies(1): >>44507053 #
5. dbdr ◴[09 Jul 25 07:00 UTC] No.44507053[source]
The idea of Defence in Depth is to handle vulnerabilities at several levels, instead of relying on a single technique that becomes a single point of failure.
replies(1): >>44508234 #
6. Cloudef ◴[09 Jul 25 10:26 UTC] No.44508234{3}[source]
I'm not saying not to do that. But it seems sandboxing should be the first thing to think of. Especially in concept of git which allows you to execute all sorts of custom scripts. File name sanitation is not that however, in fact in contrary file name sanitation is known to cause security vulnerabilities and other annoying issues in past.