symlink behaviour?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

symlink behaviour?

Jeroen De Vlieger
Hi,

I recently learned of the nice symlink behaviour in rsync, more specifically the distinction between safe and unsafe  symlinks.

>  Symbolic links are considered unsafe if they are :
>    absolute symlinks (start with /),
>    empty, or
>    if they contain enough “..”  components to ascend from the directory being copied.   


Does mercurial also support a similar notion of safe and unsafe symlinks?
I.e. symlink that point to files not in the repository?


'hg help add' doesn mention it and I don't really find any documentation regarding this.
Or any other *official* documentation with respect to symlink behaviour.

The only information that I did find was in revision messages and some bug reports, but they didn't really clear the confusion for me.

with kind regards,

Jeroen


_______________________________________________
Mercurial mailing list
[hidden email]
http://selenic.com/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|

Re: symlink behaviour?

Jeroen De Vlieger
a small test didn't really report  anything when creating unsafe symlinks :-(

example:

% cd /tmp
% mkdir testHgsymlinkbehaviour
% cd testHgsymlinkbehaviour
% touch fileA
% mkdir hgrepo
% cd hgrepo
% hg init
% touch fileB
% hg add
adding fileB
% hg ci -m ' commit 1 '

% ln -s fileB symlinkToB
% ln -s ../fileA symlinkToExternalFileA

% hg add
% hg st
A symlinkToB
A symlinkToExternalFileA
% hg ci -m "added some symlinks"
 symlinkToB             |  1 +
 symlinkToExternalFileA |  1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

% cd ../
% hg clone --pull hgrepo pulledRepo
requesting all changes
adding changesets
adding manifests
adding file changes
added 2 changesets with 3 changes to 3 files
updating to branch default
3 files updated, 0 files merged, 0 files removed, 0 files unresolved
jeroendv@zadeh /tmp/testHgsymlinkbehaviour % cd pulledRepo
% ls -l
total 0
-rw-rw-r-- 1 jeroendv jeroendv 0 2012-01-06 13:23 fileB
lrwxrwxrwx 1 jeroendv jeroendv 5 2012-01-06 13:23 symlinkToB -> fileB
lrwxrwxrwx 1 jeroendv jeroendv 8 2012-01-06 13:23 symlinkToExternalFileA -> ../fileA

Jeroen


On Fri, Jan 6, 2012 at 1:49 PM, Jeroen De Vlieger <[hidden email]> wrote:
Hi,

I recently learned of the nice symlink behaviour in rsync, more specifically the distinction between safe and unsafe  symlinks.

>  Symbolic links are considered unsafe if they are :
>    absolute symlinks (start with /),
>    empty, or
>    if they contain enough “..”  components to ascend from the directory being copied.   


Does mercurial also support a similar notion of safe and unsafe symlinks?
I.e. symlink that point to files not in the repository?


'hg help add' doesn mention it and I don't really find any documentation regarding this.
Or any other *official* documentation with respect to symlink behaviour.

The only information that I did find was in revision messages and some bug reports, but they didn't really clear the confusion for me.

with kind regards,

Jeroen



_______________________________________________
Mercurial mailing list
[hidden email]
http://selenic.com/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|

Re: symlink behaviour?

Matt Mackall
In reply to this post by Jeroen De Vlieger
On Fri, 2012-01-06 at 13:49 +0100, Jeroen De Vlieger wrote:

> Hi,
>
> I recently learned of the nice symlink behaviour in rsync, more
> specifically the distinction between safe and unsafe  symlinks.
>
> >  Symbolic links are considered unsafe if they are :
> >    absolute symlinks (start with /),
> >    empty, or
> >    if they contain enough “..”  components to ascend from the directory
> being copied.
>
>
> Does mercurial also support a similar notion of safe and unsafe symlinks?
> I.e. symlink that point to files not in the repository?

No, we support a completely different notion of safe and unsafe links.

First, consider that the primary purpose of Mercurial is to distribute
source code across the internet. If you -run- untrusted source code, any
security measure we could possibly create is instantly irrelevant. Once
you type 'make', it's game over.

So that limits Mercurial's security scope to things like allowing users
to safely check out and inspect code before running it. For instance, we
take care to avoid traversing symlinks when checking out files, as that
could allow a hostile repo to install hostile hooks on checkout.

Here's the core of our path auditing rules:

http://www.selenic.com/hg/file/f15c646bffc7/mercurial/scmutil.py#l61

--
Mathematics is the supreme nostalgia of our time.


_______________________________________________
Mercurial mailing list
[hidden email]
http://selenic.com/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|

Re: symlink behaviour?

Jeroen De Vlieger
On Fri, Jan 6, 2012 at 10:16 PM, Matt Mackall <[hidden email]> wrote:

> On Fri, 2012-01-06 at 13:49 +0100, Jeroen De Vlieger wrote:
>> Hi,
>>
>> I recently learned of the nice symlink behaviour in rsync, more
>> specifically the distinction between safe and unsafe  symlinks.
>>
>> >  Symbolic links are considered unsafe if they are :
>> >    absolute symlinks (start with /),
>> >    empty, or
>> >    if they contain enough “..”  components to ascend from the directory
>> being copied.
>>
>>
>> Does mercurial also support a similar notion of safe and unsafe symlinks?
>> I.e. symlink that point to files not in the repository?
>
> No, we support a completely different notion of safe and unsafe links.
>
> First, consider that the primary purpose of Mercurial is to distribute
> source code across the internet. If you -run- untrusted source code, any
> security measure we could possibly create is instantly irrelevant. Once
> you type 'make', it's game over.
>
> So that limits Mercurial's security scope to things like allowing users
> to safely check out and inspect code before running it. For instance, we
> take care to avoid traversing symlinks when checking out files, as that
> could allow a hostile repo to install hostile hooks on checkout.
>
> Here's the core of our path auditing rules:
>
> http://www.selenic.com/hg/file/f15c646bffc7/mercurial/scmutil.py#l61
>
>

Thanks for the fast response,

Would it make sense to print a 'warning'  if the user tries to add a
symlink that doesn't point to a file in the same repo?

I would argue that is would help to keep your project local. meaning
that a simple archive  would actually contain the complete working
project. Which is not the case if you'r project contains symlinks to
external files. It *would* make sense for my  -admittedly small-
personal projects. I don't really have a lot experience with large
scale projects with lots of contributors though :-s


Jeroen
_______________________________________________
Mercurial mailing list
[hidden email]
http://selenic.com/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|

Re: symlink behaviour?

Matt Mackall
On Sun, Jan 08, 2012 at 09:00:52AM +0100, Jeroen De Vlieger wrote:

> On Fri, Jan 6, 2012 at 10:16 PM, Matt Mackall <[hidden email]> wrote:
> > On Fri, 2012-01-06 at 13:49 +0100, Jeroen De Vlieger wrote:
> >> Hi,
> >>
> >> I recently learned of the nice symlink behaviour in rsync, more
> >> specifically the distinction between safe and unsafe  symlinks.
> >>
> >> >  Symbolic links are considered unsafe if they are :
> >> >    absolute symlinks (start with /),
> >> >    empty, or
> >> >    if they contain enough “..”  components to ascend from the directory
> >> being copied.
> >>
> >>
> >> Does mercurial also support a similar notion of safe and unsafe symlinks?
> >> I.e. symlink that point to files not in the repository?
> >
> > No, we support a completely different notion of safe and unsafe links.
> >
> > First, consider that the primary purpose of Mercurial is to distribute
> > source code across the internet. If you -run- untrusted source code, any
> > security measure we could possibly create is instantly irrelevant. Once
> > you type 'make', it's game over.
> >
> > So that limits Mercurial's security scope to things like allowing users
> > to safely check out and inspect code before running it. For instance, we
> > take care to avoid traversing symlinks when checking out files, as that
> > could allow a hostile repo to install hostile hooks on checkout.
> >
> > Here's the core of our path auditing rules:
> >
> > http://www.selenic.com/hg/file/f15c646bffc7/mercurial/scmutil.py#l61
>
> Thanks for the fast response,
>
> Would it make sense to print a 'warning'  if the user tries to add a
> symlink that doesn't point to a file in the same repo?
>
> I would argue that is would help to keep your project local. meaning
> that a simple archive  would actually contain the complete working
> project. Which is not the case if you'r project contains symlinks to
> external files. It *would* make sense for my  -admittedly small-
> personal projects. I don't really have a lot experience with large
> scale projects with lots of contributors though :-s

Probably not. There are no doubt tons of people using symlinks outside
their tree, especially with people versioning their home directory or
/etc directories.

--
Mathematics is the supreme nostalgia of our time.
_______________________________________________
Mercurial mailing list
[hidden email]
http://selenic.com/mailman/listinfo/mercurial