Re: git-patch-id and syntactically significant whitespace
From: Jeff King <hidden>
Date: 2020-02-10 22:24:45
On Mon, Feb 10, 2020 at 11:41:15AM -0500, Konstantin Ryabitsev wrote:
This mostly becomes a problem if we try to build any kind of patch indexing/retrieval systems that rely on patch-id to identify patches. While this is not a high-impact problem by any means, it's not a theoretical concern: git-format-patch includes functionality to provide patch dependencies via prerequisite-patch-id trailers [1]. An automated system attempting to auto-fetch dependencies can potentially retrieve and apply the malicious version of the patch. I'm not sure what the solution here is, since changing git-patch-id to not discard whitespace is obviously going to defeat its entire purpose of "not ever changing". I mostly wanted to share my findings in case someone has thoughts on how to best approach this.
Can't you already have malicious patch-id collisions without the whitespace thing? The patch-id also throws away line numbers, so a patch adding "return 0" in an innocent location could have the same patch-id as one adding it somewhere more dangerous. It's just a question of the context, but there's often enough boilerplate for two functions to look similar. This is occasionally a problem for actual accidental collisions (in patch-ids, but also when merging). I can imagine it's probably not that hard for a determined attacker to make such a case intentionally. -Peff