Skip to content

gitutils: add validation for ref (CVE-2019-13139)#38944

Merged
thaJeztah merged 1 commit into
moby:masterfrom
andrewhsu:gitutils
Mar 27, 2019
Merged

gitutils: add validation for ref (CVE-2019-13139)#38944
thaJeztah merged 1 commit into
moby:masterfrom
andrewhsu:gitutils

Conversation

@andrewhsu
Copy link
Copy Markdown
Contributor

@andrewhsu andrewhsu commented Mar 26, 2019
edited
Loading

From a fix that @tonistiigi created, this PR adds validation for git ref so it can't be misinterpreted as a flag. fetch -- is a cleaner option but as it is theoretically possible to also hit it in checkout there's a custom validation as well.

Thanks to @staaldraad for pointing this issue out originally.

cc @justincormack

@tonistiigi @andrewhsu
gitutils: add validation for ref
a588898 
Signed-off-by: Tonis Tiigi <[email protected]>
(cherry picked from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe)
Signed-off-by: Andrew Hsu <[email protected]>
@andrewhsu andrewhsu requested a review from tonistiigi as a code owner March 26, 2019 22:14
thaJeztah
thaJeztah approved these changes Mar 26, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This was referenced Mar 26, 2019
Merged
Closed
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 27, 2019

Codecov Report

❗ No coverage uploaded for pull request base (master@639880e). Click here to learn what that means.
The diff coverage is 100%.

@@            Coverage Diff            @@
##             master   #38944   +/-   ##
=========================================
  Coverage          ?    36.9%           
=========================================
  Files             ?      614           
  Lines             ?    45404           
  Branches          ?        0           
=========================================
  Hits              ?    16757           
  Misses            ?    26357           
  Partials          ?     2290

@thaJeztah thaJeztah merged commit be7ac8b into moby:master Mar 27, 2019
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Mar 27, 2019
@thaJeztah
bump engine 200b524eff60a9c95a22bc2518042ac2ff617d07 (18.09 branch)
010c234 
relevant changes;

- moby/moby#38006 / docker-archive/engine#114 client: use io.LimitedReader for reading HTTP error
- moby/moby#38634 / docker-archive/engine#167 pkg/archive:CopyTo(): fix for long dest filename
  - fixes docker/for-linux#484 for 18.09
- moby/moby#38944 / docker-archive/engine#183 gitutils: add validation for ref
- moby/moby#37780 / docker-archive/engine#55 pkg/progress: work around closing closed channel panic
  - addresses moby/moby#/37735 pkg/progress: panic due to race on shutdown

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this pull request Mar 27, 2019
Merged
@andrewhsu andrewhsu deleted the gitutils branch March 27, 2019 16:01
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Mar 27, 2019
@thaJeztah
bump engine 200b524eff60a9c95a22bc2518042ac2ff617d07 (18.09 branch)
b3b20ef 
relevant changes;

- moby/moby#38006 / docker-archive/engine#114 client: use io.LimitedReader for reading HTTP error
- moby/moby#38634 / docker-archive/engine#167 pkg/archive:CopyTo(): fix for long dest filename
  - fixes docker/for-linux#484 for 18.09
- moby/moby#38944 / docker-archive/engine#183 gitutils: add validation for ref
- moby/moby#37780 / docker-archive/engine#55 pkg/progress: work around closing closed channel panic
  - addresses moby/moby#/37735 pkg/progress: panic due to race on shutdown

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 010c234a0d5a03d450ebec60be37dd9f279feeca
Component: cli
@thaJeztah thaJeztah changed the title gitutils: add validation for ref gitutils: add validation for ref (CVE-2019-13139) Jul 15, 2019
@staaldraad
Copy link
Copy Markdown

staaldraad commented Jul 15, 2019

For reference

I requested a CVE and CVE-2019-13139 has been reserved for this issue.

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Jul 15, 2019

@staaldraad thanks! I got notified of the CVE, so updated the titles of all the related PR's to include it 👍

We should probably update the release notes as well; https://github.com/docker/docker.github.io/blob/master/engine/release-notes.md#18094

Let me know if you're interested in opening a pull request in that repository, or if you want me to do so

@staaldraad staaldraad mentioned this pull request Jul 15, 2019
Merged
@staaldraad
Copy link
Copy Markdown

staaldraad commented Jul 15, 2019

Thanks @thaJeztah 🎉

I've opened a PR -- wanted to tag you in as reviewer but it seems like labels and reviewers aren't available to non-project members

This was referenced Aug 30, 2019
Merged
Merged
@DavidGarciaCat DavidGarciaCat mentioned this pull request Aug 28, 2023
Open
@tatianab tatianab mentioned this pull request Nov 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@tonistiigi tonistiigi Awaiting requested review from tonistiigi tonistiigi is a code owner

+1 more reviewer

@justincormack justincormack justincormack approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/builder Build status/4-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@andrewhsu @staaldraad @thaJeztah @justincormack @GordonTheTurtle @tonistiigi