Review comments

Author: spoorcc

CHANGELOG.rst

@@ -15,7 +15,7 @@ Release 0.14.0 (unreleased)
 * Fix ``dfetch add`` crashing with a ``ValueError`` when the remote URL has a trailing slash (#1137)
 * Fix unhelpful error message when a metadata file is malformed (#1145)
 * Fix arbitrary file write via malicious tar/zip symlink (#1152)
-* Prevent ssh command injection (#1152)
+* Prevent SSH command injection (#1152)
 
 Release 0.13.0 (released 2026-03-30)
 ====================================

dfetch/util/ssh.py

@@ -0,0 +1,79 @@
+"""SSH command allowlist validation."""
+
+import os
+import re
+import shlex
+
+_SAFE_SSH_OPTION_KEYS = frozenset(
+    {"StrictHostKeyChecking", "BatchMode", "UserKnownHostsFile"}
+)
+
+_PORT_RE = re.compile(r"^[0-9]{1,5}$")
+
+
+class InvalidSshCommandError(Exception):
+    """Raised when an SSH command string does not pass the allowlist."""
+
+
+def _validate_value_flag(tokens: list[str], i: int, flag: str) -> None:
+    """Raise InvalidSshCommandError if a -i or -p flag or its value is invalid."""
+    if i + 1 >= len(tokens):
+        raise InvalidSshCommandError(f"flag {flag!r} requires a value")
+    if flag == "-p" and not _PORT_RE.match(tokens[i + 1]):
+        raise InvalidSshCommandError("-p requires a numeric port")
+
+
+def _validate_option_flag(tokens: list[str], i: int) -> None:
+    """Raise InvalidSshCommandError if a -o flag or its value is invalid."""
+    if i + 1 >= len(tokens):
+        raise InvalidSshCommandError("-o requires a value")
+    key = tokens[i + 1].split("=", 1)[0]
+    if key not in _SAFE_SSH_OPTION_KEYS:
+        raise InvalidSshCommandError(
+            f"SSH option {tokens[i + 1]!r} is not in the allowed list"
+        )
+
+
+def _validate_ssh_flags(tokens: list[str]) -> None:
+    """Raise InvalidSshCommandError if any flag token after the binary is invalid."""
+    i = 1
+    while i < len(tokens):
+        flag = tokens[i]
+        if flag in ("-i", "-p"):
+            _validate_value_flag(tokens, i, flag)
+            i += 2
+        elif flag == "-o":
+            _validate_option_flag(tokens, i)
+            i += 2
+        else:
+            raise InvalidSshCommandError(f"flag {flag!r} is not allowed")
+
+
+def sanitize_ssh_cmd(ssh_cmd: str) -> str:
+    """Return *ssh_cmd* if it passes the allowlist; raise :exc:`InvalidSshCommandError` otherwise.
+
+    Accepts:
+    * A bare absolute path to an ssh binary (no arguments).
+    * ``ssh`` with a restricted set of flags: ``-i <file>``, ``-p <port>``,
+      ``-o`` with option key in :data:`_SAFE_SSH_OPTION_KEYS`.
+    """
+    try:
+        tokens = shlex.split(ssh_cmd)
+    except ValueError as exc:
+        raise InvalidSshCommandError("cannot parse ssh command") from exc
+
+    if not tokens:
+        raise InvalidSshCommandError("empty ssh command")
+
+    binary = tokens[0]
+
+    if os.path.isabs(binary):
+        if len(tokens) == 1:
+            return ssh_cmd
+        raise InvalidSshCommandError("absolute-path ssh binary may not carry arguments")
+
+    if binary != "ssh":
+        raise InvalidSshCommandError("ssh command must be 'ssh' or an absolute path")
+
+    _validate_ssh_flags(tokens)
+    return ssh_cmd

dfetch/vcs/archive.py

@@ -510,23 +510,21 @@ def _check_no_member_traverses_symlink(members: list[tarfile.TarInfo]) -> None:
         and provides defence-in-depth on newer ones.
 
         Raises:
-            RuntimeError: When a non-symlink member's path passes through a
-                symlink member name.
+            RuntimeError: When a member's path passes through a symlink member
+                name, including symlink-through-symlink chains.
         """
-        symlink_names = {m.name for m in members if m.issym()}
-        if not symlink_names:
-            return
+        symlink_names: set[str] = set()
         for member in members:
-            if member.issym():
-                continue
             parts = pathlib.PurePosixPath(member.name).parts
-            for depth in range(1, len(parts)):
+            for depth in range(1, len(parts) + 1):
                 parent = str(pathlib.PurePosixPath(*parts[:depth]))
                 if parent in symlink_names:
                     raise RuntimeError(
                         f"Archive member {member.name!r} would be written "
                         f"through symlink {parent!r}"
                     )
+            if member.issym():
+                symlink_names.add(str(pathlib.PurePosixPath(member.name)))
 
     @staticmethod
     def _check_tar_members(tf: tarfile.TarFile) -> None:

dfetch/vcs/git.py

@@ -13,6 +13,7 @@
 from dfetch.log import get_logger
 from dfetch.util.cmdline import SubprocessCommandError, run_on_cmdline
 from dfetch.util.license import is_license_file
+from dfetch.util.ssh import InvalidSshCommandError, sanitize_ssh_cmd
 from dfetch.util.util import (
     glob_within_root,
     in_directory,
@@ -29,40 +30,31 @@
 logger = get_logger(__name__)
 
 
-_SHELL_METACHAR_RE = re.compile(r"[;&|`$(){}<>\n\r!]")
-
-
-def _sanitize_ssh_cmd(ssh_cmd: str, source: str) -> str | None:
-    """Return *ssh_cmd* if it is safe to use, otherwise log a warning and return None."""
-    if _SHELL_METACHAR_RE.search(ssh_cmd):
-        logger.warning(
-            "Ignoring %s: contains unsafe shell characters, falling back to 'ssh'",
-            source,
-        )
+def _try_sanitize(source: str, raw: str | None) -> str | None:
+    if not raw:
+        return None
+    try:
+        return sanitize_ssh_cmd(raw)
+    except InvalidSshCommandError as exc:
+        logger.warning("Ignoring %s: %s, falling back to 'ssh'", source, exc)
         return None
-    return ssh_cmd
 
 
 def _build_git_ssh_command() -> str:
     """Returns a safe SSH command string for Git that enforces non-interactive mode.
 
     Respects existing GIT_SSH_COMMAND and git core.sshCommand.
     """
-    raw = os.environ.get("GIT_SSH_COMMAND")
-    ssh_cmd = _sanitize_ssh_cmd(raw, "GIT_SSH_COMMAND") if raw else None
+    ssh_cmd = _try_sanitize("GIT_SSH_COMMAND", os.environ.get("GIT_SSH_COMMAND"))
 
     if not ssh_cmd:
-
         try:
             result = run_on_cmdline(
-                logger,
-                ["git", "config", "--get", "core.sshCommand"],
+                logger, ["git", "config", "--get", "core.sshCommand"]
             )
-            raw_config = result.stdout.decode().strip()
-            ssh_cmd = (
-                _sanitize_ssh_cmd(raw_config, "core.sshCommand") if raw_config else None
+            ssh_cmd = _try_sanitize(
+                "core.sshCommand", result.stdout.decode().strip() or None
             )
-
         except SubprocessCommandError:
             ssh_cmd = None
 

tests/test_archive.py

@@ -358,6 +358,52 @@ def _setup(tf: tarfile.TarFile) -> None:
         _check_tar_members(tf)
 
 
+def test_check_tar_members_rejects_two_step_symlink_attack_dotprefix():
+    """Two-step tar-slip via a ./ prefixed symlink name must be rejected."""
+
+    def _setup(tf: tarfile.TarFile) -> None:
+        _add_symlink(tf, "./project/link", "../../outside")
+        content = b"escaped"
+        info = tarfile.TarInfo("project/link/payload.txt")
+        info.size = len(content)
+        tf.addfile(info, io.BytesIO(content))
+
+    tf = _make_tar_with_member(_setup)
+    with pytest.raises(RuntimeError, match="symlink"):
+        _check_tar_members(tf)
+
+
+def test_check_tar_members_rejects_symlink_chain():
+    """A second symlink whose path passes through an earlier symlink must be rejected."""
+
+    def _setup(tf: tarfile.TarFile) -> None:
+        _add_symlink(tf, "project/link", "../../outside")
+        _add_symlink(tf, "project/link/evil", "../payload")
+
+    tf = _make_tar_with_member(_setup)
+    with pytest.raises(RuntimeError, match="symlink"):
+        _check_tar_members(tf)
+
+
+def test_check_tar_members_rejects_symlink_exact_path_overwrite():
+    """A non-symlink member with the same path as an earlier symlink must be rejected.
+
+    Python's tarfile.extract follows a symlink when writing a file over it, so
+    allowing this would write content to the symlink's (potentially external) target.
+    """
+
+    def _setup(tf: tarfile.TarFile) -> None:
+        _add_symlink(tf, "project/link", "../../outside")
+        content = b"escaped"
+        info = tarfile.TarInfo("project/link")
+        info.size = len(content)
+        tf.addfile(info, io.BytesIO(content))
+
+    tf = _make_tar_with_member(_setup)
+    with pytest.raises(RuntimeError, match="symlink"):
+        _check_tar_members(tf)
+
+
 def test_check_tar_members_allows_file_next_to_symlink():
     """A file sibling to a symlink (not written through it) must be accepted."""
 

tests/test_git_vcs.py

@@ -213,10 +213,10 @@ def test_ls_remote():
             "ssh -i keyfile -o BatchMode=yes",
         ),
         (
-            "git config",
+            "git config with unsupported flag",
             None,
             "ssh -F configfile",
-            "ssh -F configfile -o BatchMode=yes",
+            "ssh -o BatchMode=yes",
         ),
         ("no env or git config", None, None, "ssh -o BatchMode=yes"),
         (
@@ -249,6 +249,24 @@ def test_ls_remote():
             None,
             "ssh -o BatchMode=yes",
         ),
+        (
+            "injection via ProxyCommand option",
+            "ssh -o ProxyCommand=evil",
+            None,
+            "ssh -o BatchMode=yes",
+        ),
+        (
+            "absolute path ssh binary accepted",
+            "/usr/bin/ssh",
+            None,
+            "/usr/bin/ssh -o BatchMode=yes",
+        ),
+        (
+            "absolute path with arguments rejected",
+            "/usr/bin/ssh -F config",
+            None,
+            "ssh -o BatchMode=yes",
+        ),
     ],
 )
 def test_build_git_ssh_command(name, env_ssh, git_config_ssh, expected):
@@ -271,3 +289,8 @@ def test_build_git_ssh_command(name, env_ssh, git_config_ssh, expected):
                     mock_logger.debug.assert_called_once()
                 else:
                     mock_logger.debug.assert_not_called()
+
+                if "injection" in name or "unsupported" in name or "rejected" in name:
+                    mock_logger.warning.assert_called()
+                else:
+                    mock_logger.warning.assert_not_called()