From 4b25b04c4f6f5a09cd16b59acf1c4d4ed8e59b23 Mon Sep 17 00:00:00 2001 From: Eric Callahan Date: Thu, 28 Jul 2022 14:35:48 -0400 Subject: [PATCH] git_deploy: refuse recovery if repo is not verified Close a security hole where an attacker could overwrite an existing repo with any remote and run malicious code through an update. Signed-off-by: Eric Callahan --- moonraker/components/update_manager/git_deploy.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/moonraker/components/update_manager/git_deploy.py b/moonraker/components/update_manager/git_deploy.py index e145f1e..ac1b0e5 100644 --- a/moonraker/components/update_manager/git_deploy.py +++ b/moonraker/components/update_manager/git_deploy.py @@ -284,6 +284,9 @@ class GitRepo: 'commits_behind', []) self.tag_data: Dict[str, Any] = storage.get('tag_data', {}) self.diverged: bool = storage.get("diverged", False) + self.repo_veriified: bool = storage.get( + "verified", storage.get("is_valid", False) + ) def get_persistent_data(self) -> Dict[str, Any]: return { @@ -304,7 +307,8 @@ class GitRepo: 'git_messages': self.git_messages, 'commits_behind': self.commits_behind, 'tag_data': self.tag_data, - 'diverged': self.diverged + 'diverged': self.diverged, + 'verified': self.repo_veriified } async def initialize(self, need_fetch: bool = True) -> None: @@ -622,6 +626,8 @@ class GitRepo: invalids.append("Detached HEAD detected") if self.diverged: invalids.append("Repo has diverged from remote") + if not invalids: + self.repo_veriified = True return invalids def _verify_repo(self, check_remote: bool = False) -> None: @@ -720,6 +726,10 @@ class GitRepo: async def clone(self) -> None: async with self.git_operation_lock: + if not self.repo_veriified: + raise self.server.error( + "Repo has not been verified, clone aborted" + ) self.cmd_helper.notify_update_response( f"Git Repo {self.alias}: Starting Clone Recovery...") event_loop = self.server.get_event_loop()