push --signed: tighten what the receiving end can ask to sign

Instead of blindly trusting the receiving side to give us a sensible nonce to sign, limit the length (max 256 bytes) and the alphabet (alnum and a few selected punctuations, enough to encode in base64) that can be used in nonce. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-06-04 22:06:45 +02:00 · 2015-04-01 18:00:36 -07:00 · 2015-04-01 18:00:36 -07:00 · afcb6ee30a
parent 45917f0f99
commit afcb6ee30a
1 changed files with 23 additions and 0 deletions
--- a/send-pack.c
+++ b/send-pack.c
@ -279,6 +279,28 @@ static int generate_push_cert(struct strbuf *req_buf,
 	return update_seen;
 }

+#define NONCE_LEN_LIMIT 256
+
+static void reject_invalid_nonce(const char *nonce, int len)
+{
+	int i = 0;
+
+	if (NONCE_LEN_LIMIT <= len)
+		die("the receiving end asked to sign an invalid nonce <%.*s>",
+		    len, nonce);
+
+	for (i = 0; i < len; i++) {
+		int ch = nonce[i] & 0xFF;
+		if (isalnum(ch) ||
+		    ch == '-' || ch == '.' ||
+		    ch == '/' || ch == '+' ||
+		    ch == '=' || ch == '_')
+			continue;
+		die("the receiving end asked to sign an invalid nonce <%.*s>",
+		    len, nonce);
+	}
+}
+
 int send_pack(struct send_pack_args *args,
 	      int fd[], struct child_process *conn,
 	      struct ref *remote_refs,
@ -321,6 +343,7 @@ int send_pack(struct send_pack_args *args,
 		push_cert_nonce = server_feature_value("push-cert", &len);
 		if (!push_cert_nonce)
 			die(_("the receiving end does not support --signed push"));
+		reject_invalid_nonce(push_cert_nonce, len);
 		push_cert_nonce = xmemdupz(push_cert_nonce, len);
 	}