| 309 | } |
| 310 | |
| 311 | int check_submodule_url(const char *url) |
| 312 | { |
| 313 | const char *curl_url; |
| 314 | |
| 315 | if (looks_like_command_line_option(url)) |
| 316 | return -1; |
| 317 | |
| 318 | if (submodule_url_is_relative(url) || starts_with(url, "git://")) { |
| 319 | char *decoded; |
| 320 | const char *next; |
| 321 | int has_nl; |
| 322 | |
| 323 | /* |
| 324 | * This could be appended to an http URL and url-decoded; |
| 325 | * check for malicious characters. |
| 326 | */ |
| 327 | decoded = url_decode(url); |
| 328 | has_nl = !!strchr(decoded, '\n'); |
| 329 | |
| 330 | free(decoded); |
| 331 | if (has_nl) |
| 332 | return -1; |
| 333 | |
| 334 | /* |
| 335 | * URLs which escape their root via "../" can overwrite |
| 336 | * the host field and previous components, resolving to |
| 337 | * URLs like https::example.com/submodule.git and |
| 338 | * https:///example.com/submodule.git that were |
| 339 | * susceptible to CVE-2020-11008. |
| 340 | */ |
| 341 | if (count_leading_dotdots(url, &next) > 0 && |
| 342 | (*next == ':' || *next == '/')) |
| 343 | return -1; |
| 344 | } |
| 345 | |
| 346 | else if (url_to_curl_url(url, &curl_url)) { |
| 347 | int ret = 0; |
| 348 | char *normalized = url_normalize(curl_url, NULL); |
| 349 | if (normalized) { |
| 350 | char *decoded = url_decode(normalized); |
| 351 | if (strchr(decoded, '\n')) |
| 352 | ret = -1; |
| 353 | free(normalized); |
| 354 | free(decoded); |
| 355 | } else { |
| 356 | ret = -1; |
| 357 | } |
| 358 | |
| 359 | return ret; |
| 360 | } |
| 361 | |
| 362 | return 0; |
| 363 | } |
| 364 | |
| 365 | static int name_and_item_from_var(const char *var, struct strbuf *name, |
| 366 | struct strbuf *item) |
no test coverage detected