MCPcopy Create free account
hub / github.com/git/git / check_submodule_url

Function check_submodule_url

submodule-config.c:311–363  ·  view source on GitHub ↗

Source from the content-addressed store, hash-verified

309}
310
311int check_submodule_url(const char *url)
312{
313 const char *curl_url;
314
315 if (looks_like_command_line_option(url))
316 return -1;
317
318 if (submodule_url_is_relative(url) || starts_with(url, "git://")) {
319 char *decoded;
320 const char *next;
321 int has_nl;
322
323 /*
324 * This could be appended to an http URL and url-decoded;
325 * check for malicious characters.
326 */
327 decoded = url_decode(url);
328 has_nl = !!strchr(decoded, '\n');
329
330 free(decoded);
331 if (has_nl)
332 return -1;
333
334 /*
335 * URLs which escape their root via "../" can overwrite
336 * the host field and previous components, resolving to
337 * URLs like https::example.com/submodule.git and
338 * https:///example.com/submodule.git that were
339 * susceptible to CVE-2020-11008.
340 */
341 if (count_leading_dotdots(url, &next) > 0 &&
342 (*next == ':' || *next == '/'))
343 return -1;
344 }
345
346 else if (url_to_curl_url(url, &curl_url)) {
347 int ret = 0;
348 char *normalized = url_normalize(curl_url, NULL);
349 if (normalized) {
350 char *decoded = url_decode(normalized);
351 if (strchr(decoded, '\n'))
352 ret = -1;
353 free(normalized);
354 free(decoded);
355 } else {
356 ret = -1;
357 }
358
359 return ret;
360 }
361
362 return 0;
363}
364
365static int name_and_item_from_var(const char *var, struct strbuf *name,
366 struct strbuf *item)

Callers 1

fsck_gitmodules_fnFunction · 0.85

Calls 7

starts_withFunction · 0.85
url_decodeFunction · 0.85
count_leading_dotdotsFunction · 0.85
url_to_curl_urlFunction · 0.85
url_normalizeFunction · 0.85

Tested by

no test coverage detected