development/git
development/git
1
0
Fork 0
mirror of https://github.com/git/git synced 2024-11-05 18:59:29 +00:00
Code Issues Projects Releases Packages Wiki Activity
git/builtin
History
Filip Hejsek 9cf8547320 clone: prevent clashing git dirs when cloning submodule in parallel 
While it is expected to have several git dirs within the `.git/modules/`
tree, it is important that they do not interfere with each other. For
example, if one submodule was called "captain" and another submodule
"captain/hooks", their respective git dirs would clash, as they would be
located in `.git/modules/captain/` and `.git/modules/captain/hooks/`,
respectively, i.e. the latter's files could clash with the actual Git
hooks of the former.

To prevent these clashes, and in particular to prevent hooks from being
written and then executed as part of a recursive clone, we introduced
checks as part of the fix for CVE-2019-1387 in a8dee3ca61 (Disallow
dubiously-nested submodule git directories, 2019-10-01).

It is currently possible to bypass the check for clashing submodule
git dirs in two ways:

1. parallel cloning
2. checkout --recurse-submodules

Let's check not only before, but also after parallel cloning (and before
checking out the submodule), that the git dir is not clashing with
another one, otherwise fail. This addresses the parallel cloning issue.

As to the parallel checkout issue: It requires quite a few manual steps
to create clashing git dirs because Git itself would refuse to
initialize the inner one, as demonstrated by the test case.

Nevertheless, let's teach the recursive checkout (namely, the
`submodule_move_head()` function that is used by the recursive checkout)
to be careful to verify that it does not use a clashing git dir, and if
it does, disable it (by deleting the `HEAD` file so that subsequent Git
calls won't recognize it as a git dir anymore).

Note: The parallel cloning test case contains a `cat err` that proved to
be highly useful when analyzing the racy nature of the operation (the
operation can fail with three different error messages, depending on
timing), and was left on purpose to ease future debugging should the
need arise.

Signed-off-by: Filip Hejsek <filip.hejsek@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2024-04-17 22:30:01 +02:00
..
add.c
am.c Merge branch 'rs/am-parse-options-cleanup' into maint-2.39 2023-02-14 14:15:56 -08:00
annotate.c
apply.c
archive.c
bisect--helper.c
blame.c
branch.c
bugreport.c
bundle.c
cat-file.c
check-attr.c
check-ignore.c
check-mailmap.c
check-ref-format.c
checkout--worker.c
checkout-index.c
checkout.c
clean.c
clone.c
column.c
commit-graph.c
commit-tree.c
commit.c
config.c
count-objects.c
credential-cache--daemon.c
credential-cache.c
credential-store.c
credential.c
describe.c
diagnose.c
diff-files.c
diff-index.c
diff-tree.c
diff.c
difftool.c
env--helper.c
fast-export.c
fast-import.c
fetch-pack.c
fetch.c
fmt-merge-msg.c
for-each-ref.c
for-each-repo.c
fsck.c
fsmonitor--daemon.c
gc.c
get-tar-commit-id.c
grep.c
hash-object.c
help.c
hook.c
index-pack.c
init-db.c
interpret-trailers.c
log.c
ls-files.c
ls-remote.c
ls-tree.c
mailinfo.c
mailsplit.c
merge-base.c
merge-file.c
merge-index.c
merge-ours.c
merge-recursive.c
merge-tree.c
merge.c
mktag.c
mktree.c
multi-pack-index.c
mv.c
name-rev.c
notes.c
pack-objects.c
pack-redundant.c
pack-refs.c
patch-id.c
prune-packed.c
prune.c
pull.c
push.c
range-diff.c
read-tree.c
rebase.c
receive-pack.c
reflog.c
remote-ext.c
remote-fd.c
remote.c
repack.c
replace.c
rerere.c
reset.c
rev-list.c
rev-parse.c
revert.c
rm.c
send-pack.c
shortlog.c
show-branch.c
show-index.c
show-ref.c
sparse-checkout.c
stash.c
stripspace.c
submodule--helper.c clone: prevent clashing git dirs when cloning submodule in parallel 2024-04-17 22:30:01 +02:00
symbolic-ref.c
tag.c
unpack-file.c
unpack-objects.c
update-index.c
update-ref.c
update-server-info.c
upload-archive.c
upload-pack.c upload-pack: disable lazy-fetching by default 2024-04-17 22:29:56 +02:00
var.c
verify-commit.c
verify-pack.c
verify-tag.c
worktree.c
write-tree.c