mirror of
https://github.com/git/git
synced 2024-07-17 11:07:55 +00:00
30b7c4bdca
Setting the safe.bareRepository configuration variable to explicit
stops git from using a bare repository, unless the repository is
explicitly specified, either by the "--git-dir=<path>" command line
option, or by exporting $GIT_DIR environment variable. This may be
a reasonable measure to safeguard users from accidentally straying
into a bare repository in unexpected places, but often gets in the
way of users who need valid accesses to the repository.
Earlier, 45bb9162 (setup: allow cwd=.git w/ bareRepository=explicit,
2024-01-20) loosened the rule such that being inside the ".git"
directory of a non-bare repository does not really count as
accessing a "bare" repository. The reason why such a loosening is
needed is because often hooks and third-party tools run from within
$GIT_DIR while working with a non-bare repository.
More importantly, the reason why this is safe is because a directory
whose contents look like that of a "bare" repository cannot be a
bare repository that came embedded within a checkout of a malicious
project, as long as its directory name is ".git", because ".git" is
not a name allowed for a directory in payload.
There are at least two other cases where tools have to work in a
bare-repository looking directory that is not an embedded bare
repository, and accesses to them are still not allowed by the recent
change.
- A secondary worktree (whose name is $name) has its $GIT_DIR
inside "worktrees/$name/" subdirectory of the $GIT_DIR of the
primary worktree of the same repository.
- A submodule worktree (whose name is $name) has its $GIT_DIR
inside "modules/$name/" subdirectory of the $GIT_DIR of its
superproject.
As long as the primary worktree or the superproject in these cases
are not bare, the pathname of these "looks like bare but not really"
directories will have "/.git/worktrees/" and "/.git/modules/" as a
substring in its leading part, and we can take advantage of the same
security guarantee allow git to work from these places.
Extend the earlier "in a directory called '.git' we are OK" logic
used for the primary worktree to also cover the secondary worktree's
and non-embedded submodule's $GIT_DIR, by moving the logic to a
helper function "is_implicit_bare_repo()". We deliberately exclude
secondary worktrees and submodules of a bare repository, as these
are exactly what safe.bareRepository=explicit setting is designed to
forbid accesses to without an explicit GIT_DIR/--git-dir=<path>
Helped-by: Kyle Lippincott <spectral@google.com>
Helped-by: Kyle Meyer <kyle@kyleam.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
108 lines
3.3 KiB
Bash
Executable file
108 lines
3.3 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
test_description='verify safe.bareRepository checks'
|
|
|
|
TEST_PASSES_SANITIZE_LEAK=true
|
|
. ./test-lib.sh
|
|
|
|
pwd="$(pwd)"
|
|
|
|
expect_accepted_implicit () {
|
|
test_when_finished 'rm "$pwd/trace.perf"' &&
|
|
GIT_TRACE2_PERF="$pwd/trace.perf" git "$@" rev-parse --git-dir &&
|
|
# Note: we're intentionally only checking that the bare repo has a
|
|
# directory *prefix* of $pwd
|
|
grep -F "implicit-bare-repository:$pwd" "$pwd/trace.perf"
|
|
}
|
|
|
|
expect_accepted_explicit () {
|
|
test_when_finished 'rm "$pwd/trace.perf"' &&
|
|
GIT_DIR="$1" GIT_TRACE2_PERF="$pwd/trace.perf" git rev-parse --git-dir &&
|
|
! grep -F "implicit-bare-repository:$pwd" "$pwd/trace.perf"
|
|
}
|
|
|
|
expect_rejected () {
|
|
test_when_finished 'rm "$pwd/trace.perf"' &&
|
|
test_env GIT_TRACE2_PERF="$pwd/trace.perf" \
|
|
test_must_fail git "$@" rev-parse --git-dir 2>err &&
|
|
grep -F "cannot use bare repository" err &&
|
|
grep -F "implicit-bare-repository:$pwd" "$pwd/trace.perf"
|
|
}
|
|
|
|
test_expect_success 'setup an embedded bare repo, secondary worktree and submodule' '
|
|
git init outer-repo &&
|
|
git init --bare --initial-branch=main outer-repo/bare-repo &&
|
|
git -C outer-repo worktree add ../outer-secondary &&
|
|
test_path_is_dir outer-secondary &&
|
|
(
|
|
cd outer-repo &&
|
|
test_commit A &&
|
|
git push bare-repo +HEAD:refs/heads/main &&
|
|
git -c protocol.file.allow=always \
|
|
submodule add --name subn -- ./bare-repo subd
|
|
) &&
|
|
test_path_is_dir outer-repo/.git/worktrees/outer-secondary &&
|
|
test_path_is_dir outer-repo/.git/modules/subn
|
|
'
|
|
|
|
test_expect_success 'safe.bareRepository unset' '
|
|
test_unconfig --global safe.bareRepository &&
|
|
expect_accepted_implicit -C outer-repo/bare-repo
|
|
'
|
|
|
|
test_expect_success 'safe.bareRepository=all' '
|
|
test_config_global safe.bareRepository all &&
|
|
expect_accepted_implicit -C outer-repo/bare-repo
|
|
'
|
|
|
|
test_expect_success 'safe.bareRepository=explicit' '
|
|
test_config_global safe.bareRepository explicit &&
|
|
expect_rejected -C outer-repo/bare-repo
|
|
'
|
|
|
|
test_expect_success 'safe.bareRepository in the repository' '
|
|
# safe.bareRepository must not be "explicit", otherwise
|
|
# git config fails with "fatal: not in a git directory" (like
|
|
# safe.directory)
|
|
test_config -C outer-repo/bare-repo safe.bareRepository all &&
|
|
test_config_global safe.bareRepository explicit &&
|
|
expect_rejected -C outer-repo/bare-repo
|
|
'
|
|
|
|
test_expect_success 'safe.bareRepository on the command line' '
|
|
test_config_global safe.bareRepository explicit &&
|
|
expect_accepted_implicit -C outer-repo/bare-repo \
|
|
-c safe.bareRepository=all
|
|
'
|
|
|
|
test_expect_success 'safe.bareRepository in included file' '
|
|
cat >gitconfig-include <<-\EOF &&
|
|
[safe]
|
|
bareRepository = explicit
|
|
EOF
|
|
git config --global --add include.path "$(pwd)/gitconfig-include" &&
|
|
expect_rejected -C outer-repo/bare-repo
|
|
'
|
|
|
|
test_expect_success 'no trace when GIT_DIR is explicitly provided' '
|
|
expect_accepted_explicit "$pwd/outer-repo/bare-repo"
|
|
'
|
|
|
|
test_expect_success 'no trace when "bare repository" is .git' '
|
|
expect_accepted_implicit -C outer-repo/.git
|
|
'
|
|
|
|
test_expect_success 'no trace when "bare repository" is a subdir of .git' '
|
|
expect_accepted_implicit -C outer-repo/.git/objects
|
|
'
|
|
|
|
test_expect_success 'no trace in $GIT_DIR of secondary worktree' '
|
|
expect_accepted_implicit -C outer-repo/.git/worktrees/outer-secondary
|
|
'
|
|
|
|
test_expect_success 'no trace in $GIT_DIR of a submodule' '
|
|
expect_accepted_implicit -C outer-repo/.git/modules/subn
|
|
'
|
|
|
|
test_done
|