# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1605817991 -3600
# Node ID a8a51a3bdb6181e498a862f84eb2d50928330a68
# Parent  3ea3d3a2b3e32a994307b24ebfe04ead1d40e044
git: disallow odd characters in path of git:// URLs

Mitigate https://blog.harold.kim/2020/11/invalid-url-on-git-clone-leading-to-ssrf
until the problem is fixed properly in Git.

The checks might be more strict than necessary but should not have any impact
on real world use cases.

Thanks to stypr of Flatt Security for raising this.

diff -r 3ea3d3a2b3e3 -r a8a51a3bdb61 kallithea/lib/vcs/backends/git/repository.py
--- a/kallithea/lib/vcs/backends/git/repository.py	Sun Nov 22 01:32:23 2020 +0100
+++ b/kallithea/lib/vcs/backends/git/repository.py	Thu Nov 19 21:33:11 2020 +0100
@@ -163,6 +163,18 @@
             return True
 
         if url.startswith('git://'):
+            try:
+                _git_colon, _empty, _host, path = url.split('/', 3)
+            except ValueError:
+                raise urllib.error.URLError("Invalid URL: %r" % url)
+            # Mitigate problems elsewhere with incorrect handling of encoded paths.
+            # Don't trust urllib.parse.unquote but be prepared for more flexible implementations elsewhere.
+            # Space is the only allowed whitespace character - directly or % encoded. No other % or \ is allowed.
+            for c in path.replace('%20', ' '):
+                if c in '%\\':
+                    raise urllib.error.URLError("Invalid escape character in path: '%s'" % c)
+                if c.isspace() and c != ' ':
+                    raise urllib.error.URLError("Invalid whitespace character in path: %r" % c)
             return True
 
         if not url.startswith('http://') and not url.startswith('https://'):