From c1297ffcc2ed3112b6345042af4edb6c839e19e5 Mon Sep 17 00:00:00 2001
From: "Lance R. Vick" <lance@lrvick.net>
Date: Wed, 21 Oct 2020 22:59:29 -0700
Subject: [PATCH] guard against ambiguious ref attacks in fetch

---
 scripts/fetch | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/scripts/fetch b/scripts/fetch
index 93c7a06..9f58e2b 100755
--- a/scripts/fetch
+++ b/scripts/fetch
@@ -26,6 +26,11 @@ mkdir -p "$build_dir"
 	cd $buildroot_dir;
 	git checkout "$buildroot_ref";
 	git reset --hard;
+	git tag airgap || :
+	current_ref="$(git rev-parse --verify HEAD)"
+	[ "$current_ref" == "$buildroot_ref" ] || {
+		echo "Error: $buildroot_ref was not successfully checked out"; exit 1;
+	}
 	if [ "$(ls -A "${buildroot_external}/patches")" ]; then
 		for patch in "${buildroot_external}"/patches/*; do
 			echo "Applying patch: ${patch}";
@@ -42,6 +47,11 @@ mkdir -p "$build_dir"
 	cd "$heads_dir";
 	git checkout "$heads_ref";
 	git reset --hard;
+	git tag airgap || :
+	current_ref="$(git rev-parse --verify HEAD)"
+	[ "$current_ref" == "$heads_ref" ] || {
+		echo "Error: $heads_ref was not successfully checked out"; exit 1;
+	}
 	if [ "$(ls -A "${heads_external}/patches")" ]; then
 		for patch in "${heads_external}"/patches/*; do
 			echo "Applying patch: ${patch}";