1 /*
2  * Copyright (c) 2018, 2019 Ori Bernstein <ori@openbsd.org>
3  * Copyright (c) 2021 Stefan Sperling <stsp@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "got_compat.h"
19 
20 #include <sys/queue.h>
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <netdb.h>
24 
25 #include <assert.h>
26 #include <err.h>
27 #include <limits.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <unistd.h>
32 
33 #include "got_error.h"
34 #include "got_path.h"
35 
36 #include "got_compat.h"
37 
38 #include "got_lib_dial.h"
39 #include "got_dial.h"
40 
41 #ifndef nitems
42 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
43 #endif
44 
45 #ifndef ssizeof
46 #define ssizeof(_x) ((ssize_t)(sizeof(_x)))
47 #endif
48 
49 #ifndef MIN
50 #define	MIN(_a,_b) ((_a) < (_b) ? (_a) : (_b))
51 #endif
52 
53 #ifndef GOT_DIAL_PATH_SSH
54 #define GOT_DIAL_PATH_SSH	"/usr/bin/ssh"
55 #endif
56 
57 /* IANA assigned */
58 #define GOT_DEFAULT_GIT_PORT		9418
59 #define GOT_DEFAULT_GIT_PORT_STR	"9418"
60 
61 const struct got_error *
62 got_dial_apply_unveil(const char *proto)
63 {
64 	if (strcmp(proto, "git+ssh") == 0 || strcmp(proto, "ssh") == 0) {
65 		if (unveil(GOT_DIAL_PATH_SSH, "x") != 0) {
66 			return got_error_from_errno2("unveil",
67 			    GOT_DIAL_PATH_SSH);
68 		}
69 	}
70 
71 	return NULL;
72 }
73 
74 static int
75 hassuffix(const char *base, const char *suf)
76 {
77 	int nb, ns;
78 
79 	nb = strlen(base);
80 	ns = strlen(suf);
81 	if (ns <= nb && strcmp(base + (nb - ns), suf) == 0)
82 		return 1;
83 	return 0;
84 }
85 
86 const struct got_error *
87 got_dial_parse_uri(char **proto, char **host, char **port,
88     char **server_path, char **repo_name, const char *uri)
89 {
90 	const struct got_error *err = NULL;
91 	char *s, *p, *q;
92 
93 	*proto = *host = *port = *server_path = *repo_name = NULL;
94 
95 	p = strstr(uri, "://");
96 	if (!p) {
97 		/* Try parsing Git's "scp" style URL syntax. */
98 		*proto = strdup("ssh");
99 		if (*proto == NULL) {
100 			err = got_error_from_errno("strdup");
101 			goto done;
102 		}
103 		s = (char *)uri;
104 		q = strchr(s, ':');
105 		if (q == NULL) {
106 			err = got_error(GOT_ERR_PARSE_URI);
107 			goto done;
108 		}
109 		/* No slashes allowed before first colon. */
110 		p = strchr(s, '/');
111 		if (p && q > p) {
112 			err = got_error(GOT_ERR_PARSE_URI);
113 			goto done;
114 		}
115 		*host = strndup(s, q - s);
116 		if (*host == NULL) {
117 			err = got_error_from_errno("strndup");
118 			goto done;
119 		}
120 		if ((*host)[0] == '\0') {
121 			err = got_error(GOT_ERR_PARSE_URI);
122 			goto done;
123 		}
124 		p = q + 1;
125 	} else {
126 		*proto = strndup(uri, p - uri);
127 		if (*proto == NULL) {
128 			err = got_error_from_errno("strndup");
129 			goto done;
130 		}
131 		s = p + 3;
132 
133 		p = strstr(s, "/");
134 		if (p == NULL || strlen(p) == 1) {
135 			err = got_error(GOT_ERR_PARSE_URI);
136 			goto done;
137 		}
138 
139 		q = memchr(s, ':', p - s);
140 		if (q) {
141 			*host = strndup(s, q - s);
142 			if (*host == NULL) {
143 				err = got_error_from_errno("strndup");
144 				goto done;
145 			}
146 			if ((*host)[0] == '\0') {
147 				err = got_error(GOT_ERR_PARSE_URI);
148 				goto done;
149 			}
150 			*port = strndup(q + 1, p - (q + 1));
151 			if (*port == NULL) {
152 				err = got_error_from_errno("strndup");
153 				goto done;
154 			}
155 			if ((*port)[0] == '\0') {
156 				err = got_error(GOT_ERR_PARSE_URI);
157 				goto done;
158 			}
159 		} else {
160 			*host = strndup(s, p - s);
161 			if (*host == NULL) {
162 				err = got_error_from_errno("strndup");
163 				goto done;
164 			}
165 			if ((*host)[0] == '\0') {
166 				err = got_error(GOT_ERR_PARSE_URI);
167 				goto done;
168 			}
169 		}
170 	}
171 
172 	while (p[0] == '/' && p[1] == '/')
173 		p++;
174 	*server_path = strdup(p);
175 	if (*server_path == NULL) {
176 		err = got_error_from_errno("strdup");
177 		goto done;
178 	}
179 	got_path_strip_trailing_slashes(*server_path);
180 	if ((*server_path)[0] == '\0') {
181 		err = got_error(GOT_ERR_PARSE_URI);
182 		goto done;
183 	}
184 
185 	err = got_path_basename(repo_name, *server_path);
186 	if (err)
187 		goto done;
188 	if (hassuffix(*repo_name, ".git"))
189 		(*repo_name)[strlen(*repo_name) - 4] = '\0';
190 	if ((*repo_name)[0] == '\0')
191 		err = got_error(GOT_ERR_PARSE_URI);
192 done:
193 	if (err) {
194 		free(*proto);
195 		*proto = NULL;
196 		free(*host);
197 		*host = NULL;
198 		free(*port);
199 		*port = NULL;
200 		free(*server_path);
201 		*server_path = NULL;
202 		free(*repo_name);
203 		*repo_name = NULL;
204 	}
205 	return err;
206 }
207 
208 /*
209  * Escape a given path for the shell which will be started by sshd.
210  * In particular, git-shell is known to require single-quote characters
211  * around its repository path argument and will refuse to run otherwise.
212  */
213 static const struct got_error *
214 escape_path(char *buf, size_t bufsize, const char *path)
215 {
216 	const char	*p;
217 	char		*q;
218 
219 	p = path;
220 	q = buf;
221 
222 	if (bufsize > 1)
223 		*q++ = '\'';
224 
225 	while (*p != '\0' && (q - buf < bufsize)) {
226 		/* git escapes ! too */
227 		if (*p != '\'' && *p != '!') {
228 			*q++ = *p++;
229 			continue;
230 		}
231 
232 		if (q - buf + 4 >= bufsize)
233 			break;
234 		*q++ = '\'';
235 		*q++ = '\\';
236 		*q++ = *p++;
237 		*q++ = '\'';
238 	}
239 
240 	if (*p == '\0' && (q - buf + 1 < bufsize)) {
241 		*q++ = '\'';
242 		*q = '\0';
243 		return NULL;
244 	}
245 
246 	return got_error_fmt(GOT_ERR_NO_SPACE, "overlong path: %s", path);
247 }
248 
249 const struct got_error *
250 got_dial_ssh(pid_t *newpid, int *newfd, const char *host,
251     const char *port, const char *path, const char *command, int verbosity)
252 {
253 	const struct got_error *error = NULL;
254 	int pid, pfd[2];
255 	char cmd[64];
256 	char escaped_path[PATH_MAX];
257 	const char *argv[11];
258 	int i = 0, j;
259 
260 	*newpid = -1;
261 	*newfd = -1;
262 
263 	error = escape_path(escaped_path, sizeof(escaped_path), path);
264 	if (error)
265 		return error;
266 
267 	argv[i++] = GOT_DIAL_PATH_SSH;
268 	if (port != NULL) {
269 		argv[i++] = "-p";
270 		argv[i++] = (char *)port;
271 	}
272 	if (verbosity == -1) {
273 		argv[i++] = "-q";
274 	} else {
275 		/* ssh(1) allows up to 3 "-v" options. */
276 		for (j = 0; j < MIN(3, verbosity); j++)
277 			argv[i++] = "-v";
278 	}
279 	argv[i++] = "--";
280 	argv[i++] = (char *)host;
281 	argv[i++] = (char *)cmd;
282 	argv[i++] = (char *)escaped_path;
283 	argv[i++] = NULL;
284 	assert(i <= nitems(argv));
285 
286 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pfd) == -1)
287 		return got_error_from_errno("socketpair");
288 
289 	pid = fork();
290 	if (pid == -1) {
291 		error = got_error_from_errno("fork");
292 		close(pfd[0]);
293 		close(pfd[1]);
294 		return error;
295 	} else if (pid == 0) {
296 		if (close(pfd[1]) == -1)
297 			err(1, "close");
298 		if (dup2(pfd[0], 0) == -1)
299 			err(1, "dup2");
300 		if (dup2(pfd[0], 1) == -1)
301 			err(1, "dup2");
302 		if (strlcpy(cmd, command, sizeof(cmd)) >= sizeof(cmd))
303 			err(1, "snprintf");
304 		if (execv(GOT_DIAL_PATH_SSH, (char *const *)argv) == -1)
305 			err(1, "execv %s", GOT_DIAL_PATH_SSH);
306 		abort(); /* not reached */
307 	} else {
308 		if (close(pfd[0]) == -1)
309 			return got_error_from_errno("close");
310 		*newpid = pid;
311 		*newfd = pfd[1];
312 		return NULL;
313 	}
314 }
315 
316 const struct got_error *
317 got_dial_git(int *newfd, const char *host, const char *port,
318     const char *path, const char *command)
319 {
320 	const struct got_error *err = NULL;
321 	struct addrinfo hints, *servinfo, *p;
322 	char *cmd = NULL;
323 	int fd = -1, len, r, eaicode;
324 
325 	*newfd = -1;
326 
327 	if (port == NULL)
328 		port = GOT_DEFAULT_GIT_PORT_STR;
329 
330 	memset(&hints, 0, sizeof hints);
331 	hints.ai_family = AF_UNSPEC;
332 	hints.ai_socktype = SOCK_STREAM;
333 	eaicode = getaddrinfo(host, port, &hints, &servinfo);
334 	if (eaicode) {
335 		char msg[512];
336 		snprintf(msg, sizeof(msg), "%s: %s", host,
337 		    gai_strerror(eaicode));
338 		return got_error_msg(GOT_ERR_ADDRINFO, msg);
339 	}
340 
341 	for (p = servinfo; p != NULL; p = p->ai_next) {
342 		if ((fd = socket(p->ai_family, p->ai_socktype,
343 		    p->ai_protocol)) == -1)
344 			continue;
345 		if (connect(fd, p->ai_addr, p->ai_addrlen) == 0) {
346 			err = NULL;
347 			break;
348 		}
349 		err = got_error_from_errno("connect");
350 		close(fd);
351 	}
352 	freeaddrinfo(servinfo);
353 	if (p == NULL)
354 		goto done;
355 
356 	if (asprintf(&cmd, "%s %s", command, path) == -1) {
357 		err = got_error_from_errno("asprintf");
358 		goto done;
359 	}
360 	len = 4 + strlen(cmd) + 1 + strlen("host=") + strlen(host) + 1;
361 	r = dprintf(fd, "%04x%s%chost=%s%c", len, cmd, '\0', host, '\0');
362 	if (r < 0)
363 		err = got_error_from_errno("dprintf");
364 done:
365 	free(cmd);
366 	if (err) {
367 		if (fd != -1)
368 			close(fd);
369 	} else
370 		*newfd = fd;
371 	return err;
372 }
373 
374 const struct got_error *
375 got_dial_parse_command(char **command, char **repo_path, const char *gitcmd)
376 {
377 	const struct got_error *err = NULL;
378 	size_t len, cmdlen, pathlen;
379 	char *path0 = NULL, *path, *abspath = NULL, *canonpath = NULL;
380 	const char *relpath;
381 
382 	*command = NULL;
383 	*repo_path = NULL;
384 
385 	len = strlen(gitcmd);
386 
387 	if (len >= strlen(GOT_DIAL_CMD_SEND) &&
388 	    strncmp(gitcmd, GOT_DIAL_CMD_SEND,
389 	    strlen(GOT_DIAL_CMD_SEND)) == 0)
390 		cmdlen = strlen(GOT_DIAL_CMD_SEND);
391 	else if (len >= strlen(GOT_DIAL_CMD_FETCH) &&
392 	    strncmp(gitcmd, GOT_DIAL_CMD_FETCH,
393 	    strlen(GOT_DIAL_CMD_FETCH)) == 0)
394 		cmdlen = strlen(GOT_DIAL_CMD_FETCH);
395 	else
396 		return got_error(GOT_ERR_BAD_PACKET);
397 
398 	if (len <= cmdlen + 1 || gitcmd[cmdlen] != ' ')
399 		return got_error(GOT_ERR_BAD_PACKET);
400 
401 	if (memchr(&gitcmd[cmdlen + 1], '\0', len - cmdlen) == NULL)
402 		return got_error(GOT_ERR_BAD_PATH);
403 
404 	/* Forbid linefeeds in paths, like Git does. */
405 	if (memchr(&gitcmd[cmdlen + 1], '\n', len - cmdlen) != NULL)
406 		return got_error(GOT_ERR_BAD_PATH);
407 
408 	path0 = strdup(&gitcmd[cmdlen + 1]);
409 	if (path0 == NULL)
410 		return got_error_from_errno("strdup");
411 	path = path0;
412 	pathlen = strlen(path);
413 
414 	/*
415 	 * Git clients send a shell command.
416 	 * Trim spaces and quotes around the path.
417 	 */
418 	while (path[0] == '\'' || path[0] == '\"' || path[0] == ' ') {
419 		path++;
420 		pathlen--;
421 	}
422 	while (pathlen > 0 &&
423 	    (path[pathlen - 1] == '\'' || path[pathlen - 1] == '\"' ||
424 	    path[pathlen - 1] == ' ')) {
425 		path[pathlen - 1] = '\0';
426 		pathlen--;
427 	}
428 
429 	/* Deny an empty repository path. */
430 	if (path[0] == '\0' || got_path_is_root_dir(path)) {
431 		err = got_error(GOT_ERR_NOT_GIT_REPO);
432 		goto done;
433 	}
434 
435 	if (asprintf(&abspath, "/%s", path) == -1) {
436 		err = got_error_from_errno("asprintf");
437 		goto done;
438 	}
439 	pathlen = strlen(abspath);
440 	canonpath = malloc(pathlen + 1);
441 	if (canonpath == NULL) {
442 		err = got_error_from_errno("malloc");
443 		goto done;
444 	}
445 	err = got_canonpath(abspath, canonpath, pathlen + 1);
446 	if (err)
447 		goto done;
448 
449 	relpath = canonpath;
450 	while (relpath[0] == '/')
451 		relpath++;
452 	*repo_path = strdup(relpath);
453 	if (*repo_path == NULL) {
454 		err = got_error_from_errno("strdup");
455 		goto done;
456 	}
457 	*command = strndup(gitcmd, cmdlen);
458 	if (*command == NULL)
459 		err = got_error_from_errno("strndup");
460 done:
461 	free(path0);
462 	free(abspath);
463 	free(canonpath);
464 	if (err) {
465 		free(*repo_path);
466 		*repo_path = NULL;
467 	}
468 	return err;
469 }