Breaking Git with a carriage return and cloning RCE

(dgl.cx)

359 points dgl | 4 comments | 08 Jul 25 17:48 UTC | HN request time: 1.024s | source

Show context

HappMacDonald ◴[08 Jul 25 19:28 UTC] No.44503204[source]▶

I completely disagree with author's (oft quoted here in comments) statement:

> I find this particularly interesting because this isn't fundamentally a problem of the software being written in C. These are logic errors that are possible in nearly all languages

For Christ's sake, Turing taught us that any error in one language is possible in any other language. You can even get double free in Rust if you take the time to build an entire machine emulator and then run something that uses Malloc in the ensuing VM. Rust and similar memory safe languages can emulate literally any problem C can make a mine field out of.. but logic errors being "possible" to perform are significantly different from logic errors being the first tool available to pull out of one's toolbox.

Other comments have cited that in non-C languages a person would be more likely to reach for a security-hardened library first, which I agree might be helpful.. but replies to those comments also correctly point out that this trades one problem for another with dependency hell, and I would add on top of that the issue that a widely relied upon library can also increase the surface area of attack when a novel exploit gets found in it. Libraries can be a very powerful tool but neither are they a panacea.

I would argue that the real value in a more data-safe language (be that Rust or Haskell or LISP et al) is in offering the built-in abstractions which lend themselves to more carefully modeling data than as a firehose of octets which a person then assumes they need to state-switch over like some kind of raw Turing machine.

"Parse, don't validate" is a lot easier to stick to when you're coding in a language designed with a precept like that in mind vs a language designed to be only slightly more abstract than machine code where one can merely be grateful that they aren't forced to use jump instructions for every control flow action.

replies(5): >>44503421 #>>44503690 #>>44503814 #>>44504757 #>>44507075 #

markasoftware ◴[08 Jul 25 20:34 UTC] No.44503814[source]▶

>>44503204 #

As you point out, the most serious way to undermine the "safety" features in a "safe" language like Rust is to implement a VM, programming language, serdes framework, etc, because these operate outside of Rust's type system and memory safety.

And that's exactly what the Git developers did here: They made an in-house configuration file format. If implemented in Rust, it would bypass most of Rust's safety features, particularly, type-safety.

replies(1): >>44504068 #

nixosbestos ◴[08 Jul 25 21:04 UTC] No.44504068[source]▶

>>44503814 #

It is mind-blowing the things people come up with when it comes to Rust vs C conversations. The same colvoluted crap for years at this point.

No, just no. I'm sorry, Ive implemented countless custom formats in Rust and have NEVER had to side step safe/unsafe or otherwise sacrifice type safety. Just what an absurd claim.

Maybe for some binary (de)serialization you get fancy (lol and are still likely to be far better off than with C) but goodness, I cannot imagine a single reason why a config file parser would need to be (type)-unsafe.

replies(1): >>44504364 #

1. sophacles ◴[08 Jul 25 21:48 UTC] No.44504364[source]▶

>>44504068 #

The person you replied to didn't say that you had to bypass safe. This bug is orthogonal to type and memory safety, its a different issue.

The git bug in question could be written in 100% safe rust using as much or as little of the type system[1] as you want. It's a logic error when parsing a string.

I dev rust full-time, and I've spent a lot of time writing protocol parsers. It's easy to forget to check this or that byte/string for every possible edge case as you're parsing it into some rust type, and happens all the time in rust, just like it did in C or python or go when I used those languages. This bug (if anything) is the type of thing that is solved with good tokenizer design and testing, and using more small, independently tested functions - again not at all related to the type system.

[1] Although in rust you can arrange your types so that this sort of bug is harder to implement or easier to catch than in most languages... but doing that requires an up-front understanding that logic bugs are just as possible in rust as in other languages, as well as some experience to avoid awkwardness when setting the types up.

replies(1): >>44504771 #

2. the8472 ◴[08 Jul 25 22:57 UTC] No.44504771[source]▶

>>44504364 (TP) #

In practice I think a Rust project would have used toml which parses safely. The limitation there would be that toml requires strings to be utf8, so it couldn't represent all possible unix paths.

replies(1): >>44510730 #

3. hnaccount_rng ◴[09 Jul 25 14:51 UTC] No.44510730[source]▶

>>44504771 #

Which kind of makes it an unsuitable solution for the given problem right? Git is not free to (or at least doesn't consider itself free to) work only on a subset of possible paths.

replies(1): >>44512083 #

4. bfndkgkskk ◴[09 Jul 25 16:38 UTC] No.44512083{3}[source]▶

>>44510730 #

Most applications could probably get away with not supporting control characters in paths, even git, because most file systems/OSes doesn’t support it anyway, as a user of control characters in a paths you can never trust it to work anyway.

↑