From patchwork Tue Jun 7 20:57:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Glen Choo X-Patchwork-Id: 12872633 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 288FFC43334 for ; Wed, 8 Jun 2022 00:33:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1387217AbiFHAaO (ORCPT ); Tue, 7 Jun 2022 20:30:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1842631AbiFHAJx (ORCPT ); Tue, 7 Jun 2022 20:09:53 -0400 Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B3973A0E6B for ; Tue, 7 Jun 2022 13:57:20 -0700 (PDT) Received: by mail-wm1-x329.google.com with SMTP id l2-20020a05600c4f0200b0039c55c50482so2311608wmq.0 for ; Tue, 07 Jun 2022 13:57:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=I7AINGUmprrzHHeSmhIZA7ZqetYf9w5xegoq8SYlNaA=; b=TT/V1exS3weEF7B0CeXiv8QjQcJQDQHQlgTfwu4Q9O4Sw+rOIlv7TO5B9t6I6moSBl RFVT7+X9cM9rFSjC7UCq1rTYxtYIpkaUiYa8mFX3syRHsTr+oFQCupEsER2aNoB0b0yF xS0p4nLHkVWO+InsbiTWGgcbcM2tmXZ7dYLYbBhAXxl2W9hc0B9reYjyF6E5MTChgWID OXIm7QLdVIKZBn8KTPndLJoMp0TiEQ3wz6QrCdtVb7+7Bx9IwK50TZ/T66l3rdhSrat3 jFxqzmf0n1IQ7u5oop33r0FARdR188Qv+c+C9lzPK1CtkGOveq/WGYsVp4r2slINb0Tm uO8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=I7AINGUmprrzHHeSmhIZA7ZqetYf9w5xegoq8SYlNaA=; b=w39RRO+iQcErfazkxOV4fyxoUpCu1NReXST/Dtb0M/nrFK7p7kk30PK4vfPhjCuHiC kQ9ttuU6uCp3NMsxdsVHee558YqOVMcIhF7AZgmqKeVgKZPPDJfWUe5br5lqAt1W+rDl vMSbgandbloDYidZjiobd9gxdQgmhizccBAxPAItTKAcZC/bKMXwGmLpWFbkvsqCviUX p3pU6+0OgyN/KHShPwrGD80kjO0XXoH1/C8HjlyJRHXRvEOl0vZ8KxbgdAJ5Lgnjen4u fy103XB61NY9wXpBTHogmbKVqrYDkLsfJr9gfam4gaQNvP48g5oy4zEesUr8pkMlAX4H hhGw== X-Gm-Message-State: AOAM530d9quMbFQHj4MlzcS4j/ozRwOL6rkIIB8KGbgmkMdCeYezjptw F2Q6RhnPXwfKu546sUc3MPTpu8FKdU2V4Wui X-Google-Smtp-Source: ABdhPJytoDNFN1dKPMJE46hL9uCybrMLCHVv4UAb5NKq+bij+mBMf+pIQXG8x80uk9IIh4rSJpVRGQ== X-Received: by 2002:a05:600c:4f96:b0:397:652a:69d0 with SMTP id n22-20020a05600c4f9600b00397652a69d0mr59151196wmq.16.1654635435440; Tue, 07 Jun 2022 13:57:15 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id e40-20020a5d5968000000b00213ba0cab3asm14271187wri.44.2022.06.07.13.57.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 13:57:14 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Tue, 07 Jun 2022 20:57:08 +0000 Subject: [PATCH v4 1/5] Documentation/git-config.txt: add SCOPES section Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , "brian m. carlson" , Derrick Stolee , Junio C Hamano , Emily Shaffer , Glen Choo , Glen Choo Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Glen Choo From: Glen Choo In a subsequent commit, we will introduce "protected config", which is easiest to describe in terms of configuration scopes (i.e. it's the union of the 'system', 'global', and 'command' scopes). This description is fine for ML discussions, but it's inadequate for end users because we don't provide a good description of "config scopes" in the public docs. 145d59f482 (config: add '--show-scope' to print the scope of a config value, 2020-02-10) introduced the word "scope" to our public docs, but that only enumerates the scopes and assumes the user can figure out those values mean. Add a SCOPES section to Documentation/git-config.txt that describes the config scopes, their corresponding CLI options, and mentions that some configuration options are only respected in certain scopes. Then, use the word "scope" to simplify the FILES section and change some confusing wording. Signed-off-by: Glen Choo --- Documentation/git-config.txt | 64 ++++++++++++++++++++++++++++-------- 1 file changed, 50 insertions(+), 14 deletions(-) diff --git a/Documentation/git-config.txt b/Documentation/git-config.txt index bdcfd94b642..5e4c95f2423 100644 --- a/Documentation/git-config.txt +++ b/Documentation/git-config.txt @@ -297,8 +297,8 @@ The default is to use a pager. FILES ----- -If not set explicitly with `--file`, there are four files where -'git config' will search for configuration options: +By default, 'git config' will read configuration options from multiple +files: $(prefix)/etc/gitconfig:: System-wide configuration file. @@ -322,27 +322,63 @@ $GIT_DIR/config.worktree:: This is optional and is only searched when `extensions.worktreeConfig` is present in $GIT_DIR/config. -If no further options are given, all reading options will read all of these -files that are available. If the global or the system-wide configuration -file are not available they will be ignored. If the repository configuration -file is not available or readable, 'git config' will exit with a non-zero -error code. However, in neither case will an error message be issued. +You may also provide additional configuration parameters when running any +git command by using the `-c` option. See linkgit:git[1] for details. + +Options will be read from all of these files that are available. If the +global or the system-wide configuration file are not available they will be +ignored. If the repository configuration file is not available or readable, +'git config' will exit with a non-zero error code. However, in neither case +will an error message be issued. The files are read in the order given above, with last value found taking precedence over values read earlier. When multiple values are taken then all values of a key from all files will be used. -You may override individual configuration parameters when running any git -command by using the `-c` option. See linkgit:git[1] for details. - -All writing options will per default write to the repository specific +By default, options are only written to the repository specific configuration file. Note that this also affects options like `--replace-all` and `--unset`. *'git config' will only ever change one file at a time*. -You can override these rules using the `--global`, `--system`, -`--local`, `--worktree`, and `--file` command-line options; see -<> above. +You can change the way options are read/written by specifying the path to a +file (`--file`), or by specifying a configuration scope (`--system`, +`--global`, `--local`, `--worktree`); see <> above. + +SCOPES +------ + +Each configuration source falls within a configuration scope. The scopes +are: + +system:: + $(prefix)/etc/gitconfig + +global:: + $XDG_CONFIG_HOME/git/config ++ +~/.gitconfig + +local:: + $GIT_DIR/config + +worktree:: + $GIT_DIR/config.worktree + +command:: + environment variables ++ +the `-c` option + +With the exception of 'command', each scope corresponds to a command line +option - `--system`, `--global`, `--local`, `--worktree`. + +When reading options, specifying a scope will only read options from the +files within that scope. When writing options, specifying a scope will write +to the files within that scope (instead of the repository specific +configuration file). See <> above for a complete description. +Most configuration options are respected regardless of the scope it is +defined in, but some options are only respected in certain scopes. See the +option's documentation for the full details. ENVIRONMENT ----------- From patchwork Tue Jun 7 20:57:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Glen Choo X-Patchwork-Id: 12872632 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFCC1CCA482 for ; Wed, 8 Jun 2022 00:33:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1386986AbiFHAaK (ORCPT ); Tue, 7 Jun 2022 20:30:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1844531AbiFHAMd (ORCPT ); Tue, 7 Jun 2022 20:12:33 -0400 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D46F3A0E72 for ; Tue, 7 Jun 2022 13:57:21 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id k19so25713614wrd.8 for ; Tue, 07 Jun 2022 13:57:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=jFIjuXvt59Z59x6iggNsmEt+FWw1OJYXARMKpw2SI6I=; b=URDllm3xhwzhJRG5Vwk6U2oORhUvEARzAgdda13CALXhJjM8/gJH0LD2vjYkJz/FAx v5KkldWqqqQI/VxgoMg2Sz2SH/RzNGxLJTs0P2nVFLG2XWS5q12gNXVEQBTv1vIKCd1M mCRMGOVqmi8/AHcuDtdQYMedASsf+7GciCOXd3EtOgF/HJfxQ/2+lyqsVUcV/ss45tFH kfoPnxoBQm7O82+KBZED2Kb5OYhaS3eUXk+eY1nq800ytYCng99ZEpaZa7b0nHRGp0d/ ALGGBsQRefFWgYTEwxvjsACjZbKEWTFZSSWeVTeq++XX0hfe0qQyARNHoiZg7KADkb+B bE7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=jFIjuXvt59Z59x6iggNsmEt+FWw1OJYXARMKpw2SI6I=; b=CaanR/eg6hxLd0Q81yXvdn4VqK7Bf2KTuqRop+OJgyHFczGWgdm7AuzxX74iVgc1LP uKSnJsYea2kgdf0XQMF4EpK9VFWPaaFptb1vgd0N+d78U+CvTBLHGaIM6E4N3qwT1grW ahQ2yTpwyrsDP9ytw5fVya4ET/8cm6nC3BuGKTleiMXcqufITiD31Y9k1ZbEI4sk6cO7 5qgsVF5UWmwXIn9fYt1euP3BhfIYT5jZnZKVXwOabpVulN7zOaF2vR/U1cHLvmN9yWzG Xd9Al3yeaPDGsBklgSQefSG2XBhUJmmqQ2Tnkd2s9ds/da1hZaRv4bndR4Hir4xdasbA YApA== X-Gm-Message-State: AOAM5314lMA7LobfytAdYsclWjbr4Cn5ir5zEpkiVBdPg7RrnxNV2uXg ncsvSXI+xjjCSpRcW9NqHTD2C+ne3Ljngcq5 X-Google-Smtp-Source: ABdhPJyr+vwHzJHUxtOuO7v16hzsqCfGe8ofjfvaMeDVPEsRK1iJ3TyfUM33YeKqlz07LnAEwS3HRw== X-Received: by 2002:adf:eccd:0:b0:212:fbbc:79de with SMTP id s13-20020adfeccd000000b00212fbbc79demr28305826wro.520.1654635436784; Tue, 07 Jun 2022 13:57:16 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id k1-20020a1ca101000000b0039c4ff5e0a7sm6856447wme.38.2022.06.07.13.57.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 13:57:16 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Tue, 07 Jun 2022 20:57:09 +0000 Subject: [PATCH v4 2/5] Documentation: define protected configuration Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , "brian m. carlson" , Derrick Stolee , Junio C Hamano , Emily Shaffer , Glen Choo , Glen Choo Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Glen Choo From: Glen Choo For security reasons, there are config variables that are only trusted when they are specified in extra-trustworthy configuration scopes, which are sometimes referred to on-list as 'protected configuration' [1]. A future commit will introduce another such variable, so let's define our terms so that we can have consistent documentation and implementation. In our documentation, define 'protected config' as the system, global and command config scopes. As a shorthand, I will refer to variables that are only respected in protected config as 'protected config only', but this term is not used in the documentation. This definition of protected configuration is based on whether or not Git can reasonably protect the user by ignoring the configuration scope: - System, global and command line config are considered protected because an attacker who has control over any of those can do plenty of harm without Git, so we gain very little by ignoring those scopes. - On the other hand, local (and similarly, worktree) config are not considered protected because it is relatively easy for an attacker to control local config, e.g.: - On some shared user environments, a non-admin attacker can create a repository high up the directory hierarchy (e.g. C:\.git on Windows), and a user may accidentally use it when their PS1 automatically invokes "git" commands. `safe.directory` prevents attacks of this form by making sure that the user intended to use the shared repository. It obviously shouldn't be read from the repository, because that would end up trusting the repository that Git was supposed to reject. - "git upload-pack" is expected to run in repositories that may not be controlled by the user. We cannot ignore all config in that repository (because "git upload-pack" would fail), but we can limit the risks by ignoring `uploadpack.packObjectsHook`. Only `uploadpack.packObjectsHook` is 'protected config only'. The following variables are intentionally excluded: - `safe.directory` should be 'protected config only', but it does not technically fit the definition because it is not respected in the "command" scope. A future commit will fix this. - `trace2.*` happens to read the same scopes as `safe.directory` because they share an implementation. However, this is not for security reasons; it is because we want to start tracing so early that repository-level config and "-c" are not available [2]. This requirement is unique to `trace2.*`, so it does not makes sense for protected configuration to be subject to the same constraints. [1] For example, https://lore.kernel.org/git/6af83767-576b-75c4-c778-0284344a8fe7@github.com/ [2] https://lore.kernel.org/git/a0c89d0d-669e-bf56-25d2-cbb09b012e70@jeffhostetler.com/ Signed-off-by: Glen Choo --- Documentation/config/uploadpack.txt | 6 +++--- Documentation/git-config.txt | 13 +++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/Documentation/config/uploadpack.txt b/Documentation/config/uploadpack.txt index 32fad5bbe81..029abbefdff 100644 --- a/Documentation/config/uploadpack.txt +++ b/Documentation/config/uploadpack.txt @@ -49,9 +49,9 @@ uploadpack.packObjectsHook:: `pack-objects` to the hook, and expects a completed packfile on stdout. + -Note that this configuration variable is ignored if it is seen in the -repository-level config (this is a safety measure against fetching from -untrusted repositories). +Note that this configuration variable is only respected when it is specified +in protected config (see <>). This is a safety measure against +fetching from untrusted repositories. uploadpack.allowFilter:: If this option is set, `upload-pack` will support partial diff --git a/Documentation/git-config.txt b/Documentation/git-config.txt index 5e4c95f2423..2b4334faec9 100644 --- a/Documentation/git-config.txt +++ b/Documentation/git-config.txt @@ -343,6 +343,7 @@ You can change the way options are read/written by specifying the path to a file (`--file`), or by specifying a configuration scope (`--system`, `--global`, `--local`, `--worktree`); see <> above. +[[SCOPES]] SCOPES ------ @@ -380,6 +381,18 @@ Most configuration options are respected regardless of the scope it is defined in, but some options are only respected in certain scopes. See the option's documentation for the full details. +Protected config +~~~~~~~~~~~~~~~~ + +Protected config refers to the 'system', 'global', and 'command' scopes. Git +considers these scopes to be especially trustworthy because they are likely +to be controlled by the user or a trusted administrator. An attacker who +controls these scopes can do substantial harm without using Git, so it is +assumed that the user's environment protects these scopes against attackers. + +For security reasons, certain options are only respected when they are +specified in protected config, and ignored otherwise. + ENVIRONMENT ----------- From patchwork Tue Jun 7 20:57:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Glen Choo X-Patchwork-Id: 12872627 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49CF1C43334 for ; Wed, 8 Jun 2022 00:28:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348619AbiFHA22 (ORCPT ); Tue, 7 Jun 2022 20:28:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48728 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1451344AbiFGXMe (ORCPT ); Tue, 7 Jun 2022 19:12:34 -0400 Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B08DF3A0E7E for ; Tue, 7 Jun 2022 13:57:22 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id q15so17696316wrc.11 for ; Tue, 07 Jun 2022 13:57:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=ZNf4ysFvryLAt3/LMj1UB3mOV/xaLYIkoA37AHJnj2E=; b=f5rWGzdz4NF1Y9Rau/wgmAAiaBzGgO7jThjGeahQ+gQmEd0q9ZjdQFvUAQ6f9djHgp n4bkPB0bRG2s099xTp9fAG3Bwwi5x31oK9RD7JTwdBVWIbgEnmdRdO4g+shjtLdI21Rt 6nXeA41A6Topj7BZNt5/Hs2D/5N5XvsWqRzxPEDCEWO1QsXUMRIXHwtDpAxO+I3J6x6G ZjZrbmofEHTbR7vwAN+MgHPdzMAonVOKZ/F9GB7Sy3MxlRva5UytaqZnYBM9geRGIH3Z R/8bSzGsp9GmkWZUSSyT1XzOAVXBYd8fWV7bO4mlMcTQhD/S6VKXVy56/CyoyFlU6gCP 8MZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=ZNf4ysFvryLAt3/LMj1UB3mOV/xaLYIkoA37AHJnj2E=; b=TdqhPTTaaO6AFiBLTzbZ/Nqz4mAVSvy5rdrQzK4UWNBTkXwhscpMIcIIRU3/E9usyE pC3mP4xP0ePxWaxfzfJ9XbX/oN2gls07OrjupBH9K/w1KdziZcnldy/rs7BAd97mh4OO JrmlVYqJfYWwstcFcM0gBvkB5Yl02KFudcgscoMC16oZ2gnAQU4uWztx/R0xr9HRTPhZ u0mziwyVw5Ff2H1tVmV+D8hD+B828ERigLBnwGXKJ/yxzg49p0NYnJlbaN5zbE3y3O2W J1xWuF0SjvvDG9PX57qbSezmkMrhUML9eNss3gAu3AhRLyvocVApxnkkbWvF9NUsa3iS UDKw== X-Gm-Message-State: AOAM531Ob7X3mMBcpOWCMxAhb7s8mXvcW1XkuqJdvzHs7UL6xvoG0ORk EwRkh1bL310/RxgyifJQ0jGWlj2Fd7afM6ls X-Google-Smtp-Source: ABdhPJx+8v8BkSrqUjg5OwVY1DCL5OlyRcTWsewSI2DFsvHgLPumZKIrZAMdfM19dAv0OdyDM7jkhg== X-Received: by 2002:a5d:4b10:0:b0:213:5e0:2c6c with SMTP id v16-20020a5d4b10000000b0021305e02c6cmr28907944wrq.126.1654635437949; Tue, 07 Jun 2022 13:57:17 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 63-20020a1c1942000000b003974cb37a94sm25244769wmz.22.2022.06.07.13.57.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 13:57:17 -0700 (PDT) Message-Id: <94b40907e66b2f6e0874ab49f8b73fdd58eb06d5.1654635432.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Tue, 07 Jun 2022 20:57:10 +0000 Subject: [PATCH v4 3/5] config: read protected config with `git_protected_config()` Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , "brian m. carlson" , Derrick Stolee , Junio C Hamano , Emily Shaffer , Glen Choo , Glen Choo Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Glen Choo From: Glen Choo `uploadpack.packObjectsHook` is the only 'protected config only' variable today, but we've noted that `safe.directory` and the upcoming `discovery.bare` should also be 'protected config only'. So, for consistency, we'd like to have a single implementation for protected config. The primary constraints are: 1. Reading from protected config should be as fast as possible. Nearly all "git" commands inside a bare repository will read both `safe.directory` and `discovery.bare`, so we cannot afford to be slow. 2. Protected config must be readable when the gitdir is not known. `safe.directory` and `discovery.bare` both affect repository discovery and the gitdir is not known at that point [1]. The chosen implementation in this commit is to read protected config and cache the values in a global configset. This is similar to the caching behavior we get with the_repository->config. Introduce git_protected_config(), which reads protected config and caches them in the global configset protected_config. Then, refactor `uploadpack.packObjectsHook` to use git_protected_config(). The protected config functions are named similarly to their non-protected counterparts, e.g. git_protected_config_check_init() vs git_config_check_init(). In light of constraint 1, this implementation can still be improved since git_protected_config() iterates through every variable in protected_config, which may still be too expensive. There exist constant time lookup functions for non-protected config (repo_config_get_*()), but for simplicity, this commit does not implement similar functions for protected config. An alternative that avoids introducing another configset is to continue to read all config using git_config(), but only accept values that have the correct config scope [2]. This technically fulfills constraint 2, because git_config() simply ignores the local and worktree config when the gitdir is not known. However, this would read incomplete config into the_repository->config, which would need to be reset when the gitdir is known and git_config() needs to read the local and worktree config. Resetting the_repository->config might be reasonable while we only have these 'protected config only' variables, but it's not clear whether this extends well to future variables. [1] In this case, we do have a candidate gitdir though, so with a little refactoring, it might be possible to provide a gitdir. [2] This is how `uploadpack.packObjectsHook` was implemented prior to this commit. Signed-off-by: Glen Choo --- config.c | 51 ++++++++++++++++++++++++++++++++++++ config.h | 17 ++++++++++++ t/t5544-pack-objects-hook.sh | 7 ++++- upload-pack.c | 27 ++++++++++++------- 4 files changed, 91 insertions(+), 11 deletions(-) diff --git a/config.c b/config.c index fa471dbdb89..56b7ed5ffe8 100644 --- a/config.c +++ b/config.c @@ -81,6 +81,18 @@ static enum config_scope current_parsing_scope; static int pack_compression_seen; static int zlib_compression_seen; +/* + * Config that comes from trusted sources, namely: + * - system config files (e.g. /etc/gitconfig) + * - global config files (e.g. $HOME/.gitconfig, + * $XDG_CONFIG_HOME/git) + * - the command line. + * + * This is declared here for code cleanliness, but unlike the other + * static variables, this does not hold config parser state. + */ +static struct config_set protected_config; + static int config_file_fgetc(struct config_source *conf) { return getc_unlocked(conf->u.file); @@ -2373,6 +2385,11 @@ int git_configset_add_file(struct config_set *cs, const char *filename) return git_config_from_file(config_set_callback, filename, cs); } +int git_configset_add_parameters(struct config_set *cs) +{ + return git_config_from_parameters(config_set_callback, cs); +} + int git_configset_get_value(struct config_set *cs, const char *key, const char **value) { const struct string_list *values = NULL; @@ -2614,6 +2631,40 @@ int repo_config_get_pathname(struct repository *repo, return ret; } +/* Read values into protected_config. */ +static void read_protected_config(void) +{ + char *xdg_config = NULL, *user_config = NULL, *system_config = NULL; + + git_configset_init(&protected_config); + + system_config = git_system_config(); + git_global_config(&user_config, &xdg_config); + + git_configset_add_file(&protected_config, system_config); + git_configset_add_file(&protected_config, xdg_config); + git_configset_add_file(&protected_config, user_config); + git_configset_add_parameters(&protected_config); + + free(system_config); + free(xdg_config); + free(user_config); +} + +/* Ensure that protected_config has been initialized. */ +static void git_protected_config_check_init(void) +{ + if (protected_config.hash_initialized) + return; + read_protected_config(); +} + +void git_protected_config(config_fn_t fn, void *data) +{ + git_protected_config_check_init(); + configset_iter(&protected_config, fn, data); +} + /* Functions used historically to read configuration from 'the_repository' */ void git_config(config_fn_t fn, void *data) { diff --git a/config.h b/config.h index 7654f61c634..e3ff1fcf683 100644 --- a/config.h +++ b/config.h @@ -446,6 +446,15 @@ void git_configset_init(struct config_set *cs); */ int git_configset_add_file(struct config_set *cs, const char *filename); +/** + * Parses command line options and environment variables, and adds the + * variable-value pairs to the `config_set`. Returns 0 on success, or -1 + * if there is an error in parsing. The caller decides whether to free + * the incomplete configset or continue using it when the function + * returns -1. + */ +int git_configset_add_parameters(struct config_set *cs); + /** * Finds and returns the value list, sorted in order of increasing priority * for the configuration variable `key` and config set `cs`. When the @@ -505,6 +514,14 @@ int repo_config_get_maybe_bool(struct repository *repo, int repo_config_get_pathname(struct repository *repo, const char *key, const char **dest); +/* + * Functions for reading protected config. By definition, protected + * config ignores repository config, so it is unnecessary to read + * protected config from any `struct repository` other than + * the_repository. + */ +void git_protected_config(config_fn_t fn, void *data); + /** * Querying For Specific Variables * ------------------------------- diff --git a/t/t5544-pack-objects-hook.sh b/t/t5544-pack-objects-hook.sh index dd5f44d986f..54f54f8d2eb 100755 --- a/t/t5544-pack-objects-hook.sh +++ b/t/t5544-pack-objects-hook.sh @@ -56,7 +56,12 @@ test_expect_success 'hook does not run from repo config' ' ! grep "hook running" stderr && test_path_is_missing .git/hook.args && test_path_is_missing .git/hook.stdin && - test_path_is_missing .git/hook.stdout + test_path_is_missing .git/hook.stdout && + + # check that global config is used instead + test_config_global uploadpack.packObjectsHook ./hook && + git clone --no-local . dst2.git 2>stderr && + grep "hook running" stderr ' test_expect_success 'hook works with partial clone' ' diff --git a/upload-pack.c b/upload-pack.c index 3a851b36066..09f48317b02 100644 --- a/upload-pack.c +++ b/upload-pack.c @@ -1321,18 +1321,27 @@ static int upload_pack_config(const char *var, const char *value, void *cb_data) data->advertise_sid = git_config_bool(var, value); } - if (current_config_scope() != CONFIG_SCOPE_LOCAL && - current_config_scope() != CONFIG_SCOPE_WORKTREE) { - if (!strcmp("uploadpack.packobjectshook", var)) - return git_config_string(&data->pack_objects_hook, var, value); - } - if (parse_object_filter_config(var, value, data) < 0) return -1; return parse_hide_refs_config(var, value, "uploadpack"); } +static int upload_pack_protected_config(const char *var, const char *value, void *cb_data) +{ + struct upload_pack_data *data = cb_data; + + if (!strcmp("uploadpack.packobjectshook", var)) + return git_config_string(&data->pack_objects_hook, var, value); + return 0; +} + +static void get_upload_pack_config(struct upload_pack_data *data) +{ + git_config(upload_pack_config, data); + git_protected_config(upload_pack_protected_config, data); +} + void upload_pack(const int advertise_refs, const int stateless_rpc, const int timeout) { @@ -1340,8 +1349,7 @@ void upload_pack(const int advertise_refs, const int stateless_rpc, struct upload_pack_data data; upload_pack_data_init(&data); - - git_config(upload_pack_config, &data); + get_upload_pack_config(&data); data.stateless_rpc = stateless_rpc; data.timeout = timeout; @@ -1695,8 +1703,7 @@ int upload_pack_v2(struct repository *r, struct packet_reader *request) upload_pack_data_init(&data); data.use_sideband = LARGE_PACKET_MAX; - - git_config(upload_pack_config, &data); + get_upload_pack_config(&data); while (state != FETCH_DONE) { switch (state) { From patchwork Tue Jun 7 20:57:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Glen Choo X-Patchwork-Id: 12872625 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C99B5CCA486 for ; Wed, 8 Jun 2022 00:27:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1382691AbiFHA0m (ORCPT ); Tue, 7 Jun 2022 20:26:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1451388AbiFGXMh (ORCPT ); Tue, 7 Jun 2022 19:12:37 -0400 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9E9B3A15DD for ; Tue, 7 Jun 2022 13:57:26 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id q26so15362991wra.1 for ; Tue, 07 Jun 2022 13:57:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=4Eexds/wtUWaNlzD4CckNK+1vjkrUR5m5mCaAu4Jc1A=; b=XIILYelvghoJss8Wr7Z+Q7jufK/dtCFoqkS6shIRf+jT/nnAGGWd+Ctf9I2ai6sX7G eQ4EXktpEzk2Ogq3Ie6mO8IQyWG3Vnjzca391uuzlL4xnerE7MwJBwT2WwK96rnG/Dzr D1Dlf0gPV6vwxiZCP28o6lZzY/Wqtn6MiANt26FSfqL6jfU/+ZrmTioAmAN2fVcxf90Z 8tlR0bYqb17DeaakRDwymjJhHTVole7qM1qeJL9gxaU2QjjhhO4cwP7S5aQwWFNn39wq uyqBA7u8gEO9x12S5zecI421ClW54JTqDoMK4dy9q9JdPT+1R+NRgcxv1c6QVYQJdm5y gs5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=4Eexds/wtUWaNlzD4CckNK+1vjkrUR5m5mCaAu4Jc1A=; b=xfUIGceBz4QyVFXz81ICW3zJpOstm97heqqMz8gdkov8P5mFBGkU1f0jnLJq1kzhee 4BS1UjWzun92xK/62mtWj5WRml0nOr271tX85CVnB3KdDsmi2m1PIg1gjNngsfNLdfeN Yt7eqxA5Of+mtrdDVulINhluj+QoQMt8xCb6x3SHQDH1QXhHw0z0rCc+6dt7cTVOOlOK UvA+umWt2CQLrln/SQJXQIYqcW+U4TVj2MaHsrpgmHIcDQldgwzacqU/rjlVlq2O6SED FaCt0J8vlUZVh9GAagYcCPtkug9/DtDxR45Gx0g4MQZAF5KSTVQSI9cn6rTI5rjvjjjq vMNg== X-Gm-Message-State: AOAM532LSfBnqPnZ2qjcVcnSF4pfH1JiV+eHdwH0X/Mwzn64A1B+bv1E qhW1bT2lDQ6AOt1jNdFpigvsLlQKRi6sG6pZ X-Google-Smtp-Source: ABdhPJxgL9x0uShpNQK8CfOircCzgzb9sToZFrNn3xR/gTXSQin9JClLvswVBplS8PGCtyrwFO0FPA== X-Received: by 2002:a5d:47a1:0:b0:218:423a:de8f with SMTP id 1-20020a5d47a1000000b00218423ade8fmr11684058wrb.420.1654635439478; Tue, 07 Jun 2022 13:57:19 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id z2-20020adff1c2000000b0020c5253d8dcsm18084468wro.40.2022.06.07.13.57.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 13:57:18 -0700 (PDT) Message-Id: <156817966fa87e0e3b94a1e8468ecfc6683b1946.1654635432.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Tue, 07 Jun 2022 20:57:11 +0000 Subject: [PATCH v4 4/5] safe.directory: use git_protected_config() Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , "brian m. carlson" , Derrick Stolee , Junio C Hamano , Emily Shaffer , Glen Choo , Glen Choo Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Glen Choo From: Glen Choo Use git_protected_config() to read `safe.directory` instead of read_very_early_config(), making it 'protected config only'. As a result, `safe.directory` now respects "-c", so update the tests and docs accordingly. Signed-off-by: Glen Choo --- Documentation/config/safe.txt | 6 +++--- setup.c | 2 +- t/t0033-safe-directory.sh | 24 ++++++++++-------------- 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index ae0e2e3bdb4..2a7d2324250 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -12,9 +12,9 @@ via `git config --add`. To reset the list of safe directories (e.g. to override any such directories specified in the system config), add a `safe.directory` entry with an empty value. + -This config setting is only respected when specified in a system or global -config, not when it is specified in a repository config, via the command -line option `-c safe.directory=`, or in environment variables. +This config setting is only respected in protected configuration (see +<>). This prevents the untrusted repository from tampering with this +value. + The value of this setting is interpolated, i.e. `~/` expands to a path relative to the home directory and `%(prefix)/` expands to a diff --git a/setup.c b/setup.c index f818dd858c6..847d47f9195 100644 --- a/setup.c +++ b/setup.c @@ -1128,7 +1128,7 @@ static int ensure_valid_ownership(const char *path) is_path_owned_by_current_user(path)) return 1; - read_very_early_config(safe_directory_cb, &data); + git_protected_config(safe_directory_cb, &data); return data.is_safe; } diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh index 238b25f91a3..5a1cd0d0947 100755 --- a/t/t0033-safe-directory.sh +++ b/t/t0033-safe-directory.sh @@ -16,24 +16,20 @@ test_expect_success 'safe.directory is not set' ' expect_rejected_dir ' -test_expect_success 'ignoring safe.directory on the command line' ' - test_must_fail git -c safe.directory="$(pwd)" status 2>err && - grep "unsafe repository" err +test_expect_success 'safe.directory on the command line' ' + git -c safe.directory="$(pwd)" status ' -test_expect_success 'ignoring safe.directory in the environment' ' - test_must_fail env GIT_CONFIG_COUNT=1 \ - GIT_CONFIG_KEY_0="safe.directory" \ - GIT_CONFIG_VALUE_0="$(pwd)" \ - git status 2>err && - grep "unsafe repository" err +test_expect_success 'safe.directory in the environment' ' + env GIT_CONFIG_COUNT=1 \ + GIT_CONFIG_KEY_0="safe.directory" \ + GIT_CONFIG_VALUE_0="$(pwd)" \ + git status ' -test_expect_success 'ignoring safe.directory in GIT_CONFIG_PARAMETERS' ' - test_must_fail env \ - GIT_CONFIG_PARAMETERS="${SQ}safe.directory${SQ}=${SQ}$(pwd)${SQ}" \ - git status 2>err && - grep "unsafe repository" err +test_expect_success 'safe.directory in GIT_CONFIG_PARAMETERS' ' + env GIT_CONFIG_PARAMETERS="${SQ}safe.directory${SQ}=${SQ}$(pwd)${SQ}" \ + git status ' test_expect_success 'ignoring safe.directory in repo config' ' From patchwork Tue Jun 7 20:57:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Glen Choo X-Patchwork-Id: 12872628 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30E20CCA47F for ; Wed, 8 Jun 2022 00:33:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1382838AbiFHA3Q (ORCPT ); Tue, 7 Jun 2022 20:29:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1451369AbiFGXMf (ORCPT ); Tue, 7 Jun 2022 19:12:35 -0400 Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE9583A2197 for ; Tue, 7 Jun 2022 13:57:33 -0700 (PDT) Received: by mail-wr1-x42e.google.com with SMTP id m26so14303599wrb.4 for ; Tue, 07 Jun 2022 13:57:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=Y8aPg96TISFn2JO438LDDwaA6S+BMcV3rQ1NYcZg6fM=; b=h4p9ZoJpH4NYnyuZPU/DctB5eN8JOE0B2wh1pagjaQyxBRamsPfStadhI2fpFK5DWB 7cmLhyC48OJEp1qB1VvxKkxM+hJPoI5Mn8oEYMlKOsbPf/tIe2tdU3IVz2WdsfK/lmy5 J/LYMv7Pc6iJ7SUqlucoaN6G6WEfHQ4cPy8hJgJInmlsnY1CAqg8aeUa0NW9sPmdpHXq 6GLCeEW3V2qMuCzTJ620f1KVm+0My+z3sOCZVaOm/+Kddi/hHVx69RWtTw+hgBWYcQBu TnRs0vuZY71uWDGmJsAxTU9APrvEvDHvgcc14yMnLFJytPslTt9s4cXwv91Sh8l/B+l/ l+eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=Y8aPg96TISFn2JO438LDDwaA6S+BMcV3rQ1NYcZg6fM=; b=QsNSVncgdByP0H5Rhc8ApArRUYSzAs94WkRf8Jwyoyb+L0JbrXQopYWf2tt3lHWKN0 249uV4kPXfyIMh+/jZJzBuUGB53HIv+qof/TPklpqucoauflAlspKzAFY9F6oB63OdvJ V35L5oyh4Y4DmK4ETaqVWrwdux0Ie6wyVqTU4SQ2BrYkpp1RLmL3rnSBiZEaAgnu6TwJ pZpsy9pF8nTgzZPTIN2+fZA3+uIPFTDEQuBKEe752ilKUG2ch6m8dM/cbWCKSkXFFQGo 19NGWDs8M6Xk69vpwqlGBL+wNmys2KIC9/pI6cgcNA2QnshzpaBJvwfIGZVFCWSJrOHg dGKQ== X-Gm-Message-State: AOAM531o3R+VOF3I6S6nzothEMKn640iVIrMXvWrs9fr1tPRr4y6/fB6 GuBiTaXBiKmzvEVCllue35DsEMu42eb33EMN X-Google-Smtp-Source: ABdhPJy9FNQtMcUEF5ouColoQfUp5/yRirTKuxJ9UlLhLNWdwCKZJnljex7ME2s1PFTx9hoqcwv2DQ== X-Received: by 2002:a5d:65c1:0:b0:210:33b7:4525 with SMTP id e1-20020a5d65c1000000b0021033b74525mr30073231wrw.494.1654635440601; Tue, 07 Jun 2022 13:57:20 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id u15-20020a05600c19cf00b003973b9d0447sm22665537wmq.36.2022.06.07.13.57.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 13:57:20 -0700 (PDT) Message-Id: <29053d029f8ec61095a2ad557be38b1d485a158f.1654635432.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Tue, 07 Jun 2022 20:57:12 +0000 Subject: [PATCH v4 5/5] setup.c: create `discovery.bare` Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , "brian m. carlson" , Derrick Stolee , Junio C Hamano , Emily Shaffer , Glen Choo , Glen Choo Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Glen Choo From: Glen Choo There is a known social engineering attack that takes advantage of the fact that a working tree can include an entire bare repository, including a config file. A user could run a Git command inside the bare repository thinking that the config file of the 'outer' repository would be used, but in reality, the bare repository's config file (which is attacker-controlled) is used, which may result in arbitrary code execution. See [1] for a fuller description and deeper discussion. A simple mitigation is to forbid bare repositories unless specified via `--git-dir` or `GIT_DIR`. In environments that don't use bare repositories, this would be minimally disruptive. Create a config variable, `discovery.bare`, that tells Git whether or not to die() when it discovers a bare repository. This only affects repository discovery, thus it has no effect if discovery was not done (e.g. `--git-dir` was passed). This config is an enum of: - "always": always allow bare repositories (this is the default) - "never": never allow bare repositories If we want to protect users from such attacks by default, neither value will suffice - "always" provides no protection, but "never" is impractical for bare repository users. A more usable default would be to allow only non-embedded bare repositories ([2] contains one such proposal), but detecting if a repository is embedded is potentially non-trivial, so this work is not implemented in this series. [1]: https://lore.kernel.org/git/kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com [2]: https://lore.kernel.org/git/5b969c5e-e802-c447-ad25-6acc0b784582@github.com Signed-off-by: Glen Choo --- Documentation/config.txt | 2 + Documentation/config/discovery.txt | 19 +++++++++ setup.c | 57 ++++++++++++++++++++++++- t/t0035-discovery-bare.sh | 68 ++++++++++++++++++++++++++++++ 4 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 Documentation/config/discovery.txt create mode 100755 t/t0035-discovery-bare.sh diff --git a/Documentation/config.txt b/Documentation/config.txt index e284b042f22..9a5e1329772 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -409,6 +409,8 @@ include::config/diff.txt[] include::config/difftool.txt[] +include::config/discovery.txt[] + include::config/extensions.txt[] include::config/fastimport.txt[] diff --git a/Documentation/config/discovery.txt b/Documentation/config/discovery.txt new file mode 100644 index 00000000000..fbe93597e7c --- /dev/null +++ b/Documentation/config/discovery.txt @@ -0,0 +1,19 @@ +discovery.bare:: + '(Protected config only)' Specifies whether Git will work with a + bare repository that it found during repository discovery. This + has no effect if the repository is specified directly via the + --git-dir command-line option or the GIT_DIR environment + variable (see linkgit:git[1]). ++ +The currently supported values are: ++ +* `always`: Git always works with bare repositories +* `never`: Git never works with bare repositories ++ +This defaults to `always`, but this default may change in the future. ++ +If you do not use bare repositories in your workflow, then it may be +beneficial to set `discovery.bare` to `never` in your global config. +This will protect you from attacks that involve cloning a repository +that contains a bare repository and running a Git command within that +directory. diff --git a/setup.c b/setup.c index 847d47f9195..4d8d3c1bc7d 100644 --- a/setup.c +++ b/setup.c @@ -10,6 +10,10 @@ static int inside_git_dir = -1; static int inside_work_tree = -1; static int work_tree_config_is_bogus; +enum discovery_bare_allowed { + DISCOVERY_BARE_NEVER = 0, + DISCOVERY_BARE_ALWAYS, +}; static struct startup_info the_startup_info; struct startup_info *startup_info = &the_startup_info; @@ -1133,6 +1137,46 @@ static int ensure_valid_ownership(const char *path) return data.is_safe; } +static int discovery_bare_cb(const char *key, const char *value, void *d) +{ + enum discovery_bare_allowed *discovery_bare_allowed = d; + + if (strcmp(key, "discovery.bare")) + return 0; + + if (!strcmp(value, "never")) { + *discovery_bare_allowed = DISCOVERY_BARE_NEVER; + return 0; + } + if (!strcmp(value, "always")) { + *discovery_bare_allowed = DISCOVERY_BARE_ALWAYS; + return 0; + } + return -1; +} + +static enum discovery_bare_allowed get_discovery_bare(void) +{ + enum discovery_bare_allowed result = DISCOVERY_BARE_ALWAYS; + git_protected_config(discovery_bare_cb, &result); + return result; +} + +static const char *discovery_bare_allowed_to_string( + enum discovery_bare_allowed discovery_bare_allowed) +{ + switch (discovery_bare_allowed) { + case DISCOVERY_BARE_NEVER: + return "never"; + case DISCOVERY_BARE_ALWAYS: + return "always"; + default: + BUG("invalid discovery_bare_allowed %d", + discovery_bare_allowed); + } + return NULL; +} + enum discovery_result { GIT_DIR_NONE = 0, GIT_DIR_EXPLICIT, @@ -1142,7 +1186,8 @@ enum discovery_result { GIT_DIR_HIT_CEILING = -1, GIT_DIR_HIT_MOUNT_POINT = -2, GIT_DIR_INVALID_GITFILE = -3, - GIT_DIR_INVALID_OWNERSHIP = -4 + GIT_DIR_INVALID_OWNERSHIP = -4, + GIT_DIR_DISALLOWED_BARE = -5, }; /* @@ -1239,6 +1284,8 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, } if (is_git_directory(dir->buf)) { + if (!get_discovery_bare()) + return GIT_DIR_DISALLOWED_BARE; if (!ensure_valid_ownership(dir->buf)) return GIT_DIR_INVALID_OWNERSHIP; strbuf_addstr(gitdir, "."); @@ -1385,6 +1432,14 @@ const char *setup_git_directory_gently(int *nongit_ok) } *nongit_ok = 1; break; + case GIT_DIR_DISALLOWED_BARE: + if (!nongit_ok) { + die(_("cannot use bare repository '%s' (discovery.bare is '%s')"), + dir.buf, + discovery_bare_allowed_to_string(get_discovery_bare())); + } + *nongit_ok = 1; + break; case GIT_DIR_NONE: /* * As a safeguard against setup_git_directory_gently_1 returning diff --git a/t/t0035-discovery-bare.sh b/t/t0035-discovery-bare.sh new file mode 100755 index 00000000000..0b345d361e6 --- /dev/null +++ b/t/t0035-discovery-bare.sh @@ -0,0 +1,68 @@ +#!/bin/sh + +test_description='verify discovery.bare checks' + +. ./test-lib.sh + +pwd="$(pwd)" + +expect_accepted () { + git "$@" rev-parse --git-dir +} + +expect_rejected () { + test_must_fail git "$@" rev-parse --git-dir 2>err && + grep "discovery.bare" err +} + +test_expect_success 'setup bare repo in worktree' ' + git init outer-repo && + git init --bare outer-repo/bare-repo +' + +test_expect_success 'discovery.bare unset' ' + ( + cd outer-repo/bare-repo && + expect_accepted + ) +' + +test_expect_success 'discovery.bare=always' ' + git config --global discovery.bare always && + ( + cd outer-repo/bare-repo && + expect_accepted + ) +' + +test_expect_success 'discovery.bare=never' ' + git config --global discovery.bare never && + ( + cd outer-repo/bare-repo && + expect_rejected + ) +' + +test_expect_success 'discovery.bare in the repository' ' + ( + cd outer-repo/bare-repo && + # Temporarily set discovery.bare=always, otherwise git + # config fails with "fatal: not in a git directory" + # (like safe.directory) + git config --global discovery.bare always && + git config discovery.bare always && + git config --global discovery.bare never && + expect_rejected + ) +' + +test_expect_success 'discovery.bare on the command line' ' + git config --global discovery.bare never && + ( + cd outer-repo/bare-repo && + expect_accepted -c discovery.bare=always && + expect_rejected -c discovery.bare= + ) +' + +test_done