git/t/t0033-safe-directory.sh

#!/bin/sh

test_description='verify safe.directory checks'

TEST_PASSES_SANITIZE_LEAK=true
. ./test-lib.sh

GIT_TEST_ASSUME_DIFFERENT_OWNER=1
export GIT_TEST_ASSUME_DIFFERENT_OWNER

expect_rejected_dir () {
	test_must_fail git status 2>err &&
	grep "dubious ownership" err
}

test_expect_success 'safe.directory is not set' '
	expect_rejected_dir
'

test_expect_success 'safe.directory on the command line' '
	git -c safe.directory="$(pwd)" status
'

test_expect_success 'safe.directory in the environment' '
	env GIT_CONFIG_COUNT=1 \
	    GIT_CONFIG_KEY_0="safe.directory" \
	    GIT_CONFIG_VALUE_0="$(pwd)" \
	    git status
'

test_expect_success 'safe.directory in GIT_CONFIG_PARAMETERS' '
	env GIT_CONFIG_PARAMETERS="${SQ}safe.directory${SQ}=${SQ}$(pwd)${SQ}" \
	    git status
'

test_expect_success 'ignoring safe.directory in repo config' '
	(
		unset GIT_TEST_ASSUME_DIFFERENT_OWNER &&
		git config safe.directory "$(pwd)"
	) &&
	expect_rejected_dir
'

test_expect_success 'safe.directory does not match' '
	git config --global safe.directory bogus &&
	expect_rejected_dir
'

test_expect_success 'path exist as different key' '
	git config --global foo.bar "$(pwd)" &&
	expect_rejected_dir
'

test_expect_success 'safe.directory matches' '
	git config --global --add safe.directory "$(pwd)" &&
	git status
'

test_expect_success 'safe.directory matches, but is reset' '
	git config --global --add safe.directory "" &&
	expect_rejected_dir
'

test_expect_success 'safe.directory=*' '
	git config --global --add safe.directory "*" &&
	git status
'

test_expect_success 'safe.directory=*, but is reset' '
	git config --global --add safe.directory "" &&
	expect_rejected_dir
'

test_expect_success 'safe.directory in included file' '
	cat >gitconfig-include <<-EOF &&
	[safe]
		directory = "$(pwd)"
	EOF
	git config --global --add include.path "$(pwd)/gitconfig-include" &&
	git status
'

test_expect_success 'local clone of unowned repo refused in unsafe directory' '
	test_when_finished "rm -rf source" &&
	git init source &&
	(
		sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER &&
		test_commit -C source initial
	) &&
	test_must_fail git clone --local source target &&
	test_path_is_missing target
'

test_expect_success 'local clone of unowned repo accepted in safe directory' '
	test_when_finished "rm -rf source" &&
	git init source &&
	(
		sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER &&
		test_commit -C source initial
	) &&
	test_must_fail git clone --local source target &&
	git config --global --add safe.directory "$(pwd)/source/.git" &&
	git clone --local source target &&
	test_path_is_dir target
'

test_done
t0033: add tests for safe.directory It is difficult to change the ownership on a directory in our test suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment variable to trick Git into thinking we are in a differently-owned directory. This allows us to test that the config is parsed correctly. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:29 +00:00			`#!/bin/sh`

			`test_description='verify safe.directory checks'`

leak tests: mark passing SANITIZE=leak tests as leak-free Mark those remaining tests that pass when run under SANITIZE=leak with TEST_PASSES_SANITIZE_LEAK=true, these were either omitted in f346fcb62a0 (Merge branch 'ab/mark-leak-free-tests-even-more', 2021-12-15) and 5a4f8381b68 (Merge branch 'ab/mark-leak-free-tests', 2021-10-25), or have had their memory leaks fixed since then. With this change there's now a a one-to-one mapping between those tests that we have opted-in via "TEST_PASSES_SANITIZE_LEAK=true", and those that pass with the new "check" mode: GIT_TEST_PASSING_SANITIZE_LEAK=check \ GIT_TEST_SANITIZE_LEAK_LOG=true \ make test SANITIZE=leak Note that the "GIT_TEST_SANITIZE_LEAK_LOG=true" is needed due to the edge cases noted in a preceding commit, i.e. in some cases we'd pass the test itself, but still have outstanding leaks due to ignored exit codes. The "GIT_TEST_SANITIZE_LEAK_LOG=true" corrects for that, we're only marking those tests as passing that really don't have any leaks, whether that was reflected in their exit code or not. Note that the change here to "t9100-git-svn-basic.sh" is marking that test as passing under SANITIZE=leak, we're removing a "TEST_FAILS_SANITIZE_LEAK=true" line, not "TEST_PASSES_SANITIZE_LEAK=true". See 7a98d9ab00d (revisions API: have release_revisions() release "cmdline", 2022-04-13) for the introduction of that t/lib-git-svn.sh-specific variable. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-27 23:13:41 +00:00			`TEST_PASSES_SANITIZE_LEAK=true`
t0033: add tests for safe.directory It is difficult to change the ownership on a directory in our test suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment variable to trick Git into thinking we are in a differently-owned directory. This allows us to test that the config is parsed correctly. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:29 +00:00			`. ./test-lib.sh`

			`GIT_TEST_ASSUME_DIFFERENT_OWNER=1`
			`export GIT_TEST_ASSUME_DIFFERENT_OWNER`

			`expect_rejected_dir () {`
			`test_must_fail git status 2>err &&`
Sync with Git 2.36.2 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-06-27 19:36:11 +00:00			`grep "dubious ownership" err`
t0033: add tests for safe.directory It is difficult to change the ownership on a directory in our test suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment variable to trick Git into thinking we are in a differently-owned directory. This allows us to test that the config is parsed correctly. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:29 +00:00			`}`

			`test_expect_success 'safe.directory is not set' '`
			`expect_rejected_dir`
			`'`

safe.directory: use git_protected_config() Use git_protected_config() to read `safe.directory` instead of read_very_early_config(), making it 'protected configuration only'. As a result, `safe.directory` now respects "-c", so update the tests and docs accordingly. It used to ignore "-c" due to how it was implemented, not because of security or correctness concerns [1]. [1] https://lore.kernel.org/git/xmqqlevabcsu.fsf@gitster.g/ Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-14 21:28:00 +00:00			`test_expect_success 'safe.directory on the command line' '`
			`git -c safe.directory="$(pwd)" status`
t0033-safe-directory: check when 'safe.directory' is ignored According to the documentation 'safe.directory' "is only respected when specified in a system or global config, not when it is specified in a repository config or via the command line option -c safe.directory=<path>". Add tests to check that 'safe.directory' in the repository config or on the command line is indeed ignored. Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-27 17:06:48 +00:00			`'`

safe.directory: use git_protected_config() Use git_protected_config() to read `safe.directory` instead of read_very_early_config(), making it 'protected configuration only'. As a result, `safe.directory` now respects "-c", so update the tests and docs accordingly. It used to ignore "-c" due to how it was implemented, not because of security or correctness concerns [1]. [1] https://lore.kernel.org/git/xmqqlevabcsu.fsf@gitster.g/ Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-14 21:28:00 +00:00			`test_expect_success 'safe.directory in the environment' '`
			`env GIT_CONFIG_COUNT=1 \`
			`GIT_CONFIG_KEY_0="safe.directory" \`
			`GIT_CONFIG_VALUE_0="$(pwd)" \`
			`git status`
safe.directory: document and check that it's ignored in the environment The description of 'safe.directory' mentions that it's respected in the system and global configs, and ignored in the repository config and on the command line, but it doesn't mention whether it's respected or ignored when specified via environment variables (nor does the commit message adding 'safe.directory' [1]). Clarify that 'safe.directory' is ignored when specified in the environment, and add tests to make sure that it remains so. [1] 8959555cee (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-27 17:06:49 +00:00			`'`

safe.directory: use git_protected_config() Use git_protected_config() to read `safe.directory` instead of read_very_early_config(), making it 'protected configuration only'. As a result, `safe.directory` now respects "-c", so update the tests and docs accordingly. It used to ignore "-c" due to how it was implemented, not because of security or correctness concerns [1]. [1] https://lore.kernel.org/git/xmqqlevabcsu.fsf@gitster.g/ Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-14 21:28:00 +00:00			`test_expect_success 'safe.directory in GIT_CONFIG_PARAMETERS' '`
			`env GIT_CONFIG_PARAMETERS="${SQ}safe.directory${SQ}=${SQ}$(pwd)${SQ}" \`
			`git status`
safe.directory: document and check that it's ignored in the environment The description of 'safe.directory' mentions that it's respected in the system and global configs, and ignored in the repository config and on the command line, but it doesn't mention whether it's respected or ignored when specified via environment variables (nor does the commit message adding 'safe.directory' [1]). Clarify that 'safe.directory' is ignored when specified in the environment, and add tests to make sure that it remains so. [1] 8959555cee (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-27 17:06:49 +00:00			`'`

t0033-safe-directory: check when 'safe.directory' is ignored According to the documentation 'safe.directory' "is only respected when specified in a system or global config, not when it is specified in a repository config or via the command line option -c safe.directory=<path>". Add tests to check that 'safe.directory' in the repository config or on the command line is indeed ignored. Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-27 17:06:48 +00:00			`test_expect_success 'ignoring safe.directory in repo config' '`
			`(`
			`unset GIT_TEST_ASSUME_DIFFERENT_OWNER &&`
			`git config safe.directory "$(pwd)"`
			`) &&`
			`expect_rejected_dir`
			`'`

t0033: add tests for safe.directory It is difficult to change the ownership on a directory in our test suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment variable to trick Git into thinking we are in a differently-owned directory. This allows us to test that the config is parsed correctly. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:29 +00:00			`test_expect_success 'safe.directory does not match' '`
			`git config --global safe.directory bogus &&`
			`expect_rejected_dir`
			`'`

setup: fix safe.directory key not being checked It seems that nothing is ever checking to make sure the safe directories in the configs actually have the key safe.directory, so some unrelated config that has a value with a certain directory would also make it a safe directory. Signed-off-by: Matheus Valadares <me@m28.io> Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:30 +00:00			`test_expect_success 'path exist as different key' '`
			`git config --global foo.bar "$(pwd)" &&`
			`expect_rejected_dir`
			`'`

t0033: add tests for safe.directory It is difficult to change the ownership on a directory in our test suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment variable to trick Git into thinking we are in a differently-owned directory. This allows us to test that the config is parsed correctly. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:29 +00:00			`test_expect_success 'safe.directory matches' '`
			`git config --global --add safe.directory "$(pwd)" &&`
			`git status`
			`'`

			`test_expect_success 'safe.directory matches, but is reset' '`
			`git config --global --add safe.directory "" &&`
			`expect_rejected_dir`
			`'`

setup: opt-out of check with safe.directory=* With the addition of the safe.directory in 8959555ce (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) released in v2.35.2, we are receiving feedback from a variety of users about the feature. Some users have a very large list of shared repositories and find it cumbersome to add this config for every one of them. In a more difficult case, certain workflows involve running Git commands within containers. The container boundary prevents any global or system config from communicating `safe.directory` values from the host into the container. Further, the container almost always runs as a different user than the owner of the directory in the host. To simplify the reactions necessary for these users, extend the definition of the safe.directory config value to include a possible '' value. This value implies that all directories are safe, providing a single setting to opt-out of this protection. Note that an empty assignment of safe.directory clears all previous values, and this is already the case with the "if (!value \|\| !value)" condition. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:31 +00:00			`test_expect_success 'safe.directory=*' '`
			`git config --global --add safe.directory "*" &&`
			`git status`
			`'`

			`test_expect_success 'safe.directory=*, but is reset' '`
			`git config --global --add safe.directory "" &&`
			`expect_rejected_dir`
			`'`

config: respect includes in protected config Protected config is implemented by reading a fixed set of paths, which ignores config [include]-s. Replace this implementation with a call to config_with_options(), which handles [include]-s and saves us from duplicating the logic of 1) identifying which paths to read and 2) reading command line config. As a result, git_configset_add_parameters() is unused, so remove it. It was introduced alongside protected config in 5b3c650777 (config: learn `git_protected_config()`, 2022-07-14) as a way to handle command line config. Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-10-13 17:43:47 +00:00			`test_expect_success 'safe.directory in included file' '`
			`cat >gitconfig-include <<-EOF &&`
			`[safe]`
			`directory = "$(pwd)"`
			`EOF`
			`git config --global --add include.path "$(pwd)/gitconfig-include" &&`
			`git status`
			`'`

builtin/clone: refuse local clones of unsafe repositories When performing a local clone of a repository we end up either copying or hardlinking the source repository into the target repository. This is significantly more performant than if we were to use git-upload-pack(1) and git-fetch-pack(1) to create the new repository and preserves both disk space and compute time. Unfortunately though, performing such a local clone of a repository that is not owned by the current user is inherently unsafe: - It is possible that source files get swapped out underneath us while we are copying or hardlinking them. While we do perform some checks here to assert that we hardlinked the expected file, they cannot reliably thwart time-of-check-time-of-use (TOCTOU) style races. It is thus possible for an adversary to make us copy or hardlink unexpected files into the target directory. Ideally, we would address this by starting to use openat(3P), fstatat(3P) and friends. Due to platform compatibility with Windows we cannot easily do that though. Furthermore, the scope of these fixes would likely be quite broad and thus not fit for an embargoed security release. - Even if we handled TOCTOU-style races perfectly, hardlinking files owned by a different user into the target repository is not a good idea in general. It is possible for an adversary to rewrite those files to contain whatever data they want even after the clone has completed. Address these issues by completely refusing local clones of a repository that is not owned by the current user. This reuses our existing infra we have in place via `ensure_valid_ownership()` and thus allows a user to override the safety guard by adding the source repository path to the "safe.directory" configuration. This addresses CVE-2024-32020. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2024-04-15 11:30:41 +00:00			`test_expect_success 'local clone of unowned repo refused in unsafe directory' '`
			`test_when_finished "rm -rf source" &&`
			`git init source &&`
			`(`
			`sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER &&`
			`test_commit -C source initial`
			`) &&`
			`test_must_fail git clone --local source target &&`
			`test_path_is_missing target`
			`'`

			`test_expect_success 'local clone of unowned repo accepted in safe directory' '`
			`test_when_finished "rm -rf source" &&`
			`git init source &&`
			`(`
			`sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER &&`
			`test_commit -C source initial`
			`) &&`
			`test_must_fail git clone --local source target &&`
			`git config --global --add safe.directory "$(pwd)/source/.git" &&`
			`git clone --local source target &&`
			`test_path_is_dir target`
			`'`

t0033: add tests for safe.directory It is difficult to change the ownership on a directory in our test suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment variable to trick Git into thinking we are in a differently-owned directory. This allows us to test that the config is parsed correctly. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13 15:32:29 +00:00			`test_done`