Page MenuHomePhabricator
Differential D18390

Stop populating or updating working copies in observed Mercurial repositories
ClosedPublic
Actions

Authored by epriestley on Aug 11 2017, 12:49 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jul 25, 3:06 PM
Unknown Object (File)
Mon, Jul 22, 11:46 AM
Unknown Object (File)
Sun, Jul 21, 12:04 PM
Unknown Object (File)
Wed, Jul 17, 12:26 PM
Unknown Object (File)
Sat, Jul 13, 4:05 AM
Unknown Object (File)
Wed, Jul 10, 12:57 PM
Unknown Object (File)
Mon, Jul 8, 1:43 AM
Unknown Object (File)
Mon, Jul 1, 2:24 PM
View All Files
Subscribers
cspeckmim

Details

Reviewers
chad
Maniphest Tasks
T4416: Drop "-u" flag from `hg pull` in daemons?
T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`)
Commits
rP41e823796ac1: (stable) Stop populating or updating working copies in observed Mercurial…
rP2c150076b00f: Stop populating or updating working copies in observed Mercurial repositories
Summary

Ref T12961. Fixes T4416. Currently, for observed Mercurial repositories, we build a working copy with pull -u (for "update").

This should be unnecessary, and we don't do it for hosted Mercurial repositories. We also stopped doing it years ago for Git repositories. We also don't clone Mercurial repositories with a working copy.

It's possible something has slipped through the cracks here so I'll hold this until after the release cut, but I believe there are no actual technical blockers here.

Test Plan
  • Observed a public Mercurial repository on Bitbucket.
  • Let it import.
  • Browsed commits, branches, file content, etc., without any apparent issues.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley created this revision.Aug 11 2017, 12:49 AM
chad accepted this revision.Aug 11 2017, 12:50 AM
This revision is now accepted and ready to land.Aug 11 2017, 12:50 AM
Harbormaster completed remote builds in B17995: Diff 44201.Aug 11 2017, 12:50 AM
epriestley mentioned this in T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`).Aug 11 2017, 12:54 AM
cspeckmim added a subscriber: cspeckmim.Aug 11 2017, 12:55 AM
Closed by commit rP2c150076b00f: Stop populating or updating working copies in observed Mercurial repositories (authored by epriestley, committed by epriestley). · Explain WhyAug 11 2017, 2:15 AM
This revision was automatically updated to reflect the committed changes.
epriestley added a comment.Aug 11 2017, 2:16 AM

I'm cherry-picking and hotfixing this because you can use an Mercurial repository with a Git or Subversion SSH subrepository to execute the attack across version control systems via hg pull -u. Mercurial does not appear to pass ui.ssh to GIT_SSH so we lose the protection offered by ssh-connect once we cross the VCS boundary.

Revision Contents
Changeset List

PathSize
src/
applications/
repository/
engine/
2 lines

Diff 44203

View Options

src/applications/repository/engine/PhabricatorRepositoryPullEngine.php

Loading...
Phabricator · Built by Phacility