setup.c: create `safe.bareRepository`
There is a known social engineering attack that takes advantage of the
fact that a working tree can include an entire bare repository,
including a config file. A user could run a Git command inside the bare
repository thinking that the config file of the 'outer' repository would
be used, but in reality, the bare repository's config file (which is
attacker-controlled) is used, which may result in arbitrary code
execution. See [1] for a fuller description and deeper discussion.
A simple mitigation is to forbid bare repositories unless specified via
`--git-dir` or `GIT_DIR`. In environments that don't use bare
repositories, this would be minimally disruptive.
Create a config variable, `safe.bareRepository`, that tells Git whether
or not to die() when working with a bare repository. This config is an
enum of:
- "all": allow all bare repositories (this is the default)
- "explicit": only allow bare repositories specified via --git-dir
or GIT_DIR.
If we want to protect users from such attacks by default, neither value
will suffice - "all" provides no protection, but "explicit" is
impractical for bare repository users. A more usable default would be to
allow only non-embedded bare repositories ([2] contains one such
proposal), but detecting if a repository is embedded is potentially
non-trivial, so this work is not implemented in this series.
[1]: https://lore.kernel.org/git/kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com
[2]: https://lore.kernel.org/git/5b969c5e-e802-c447-ad25-6acc0b784582@github.com
Signed-off-by: Glen Choo <chooglen@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2022-07-15 05:28:01 +08:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
test_description='verify safe.bareRepository checks'
|
|
|
|
|
|
|
|
TEST_PASSES_SANITIZE_LEAK=true
|
|
|
|
. ./test-lib.sh
|
|
|
|
|
|
|
|
pwd="$(pwd)"
|
|
|
|
|
|
|
|
expect_accepted () {
|
|
|
|
git "$@" rev-parse --git-dir
|
|
|
|
}
|
|
|
|
|
|
|
|
expect_rejected () {
|
|
|
|
test_must_fail git "$@" rev-parse --git-dir 2>err &&
|
|
|
|
grep -F "cannot use bare repository" err
|
|
|
|
}
|
|
|
|
|
|
|
|
test_expect_success 'setup bare repo in worktree' '
|
|
|
|
git init outer-repo &&
|
|
|
|
git init --bare outer-repo/bare-repo
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'safe.bareRepository unset' '
|
|
|
|
expect_accepted -C outer-repo/bare-repo
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'safe.bareRepository=all' '
|
|
|
|
test_config_global safe.bareRepository all &&
|
|
|
|
expect_accepted -C outer-repo/bare-repo
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'safe.bareRepository=explicit' '
|
|
|
|
test_config_global safe.bareRepository explicit &&
|
|
|
|
expect_rejected -C outer-repo/bare-repo
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'safe.bareRepository in the repository' '
|
|
|
|
# safe.bareRepository must not be "explicit", otherwise
|
|
|
|
# git config fails with "fatal: not in a git directory" (like
|
|
|
|
# safe.directory)
|
|
|
|
test_config -C outer-repo/bare-repo safe.bareRepository \
|
|
|
|
all &&
|
|
|
|
test_config_global safe.bareRepository explicit &&
|
|
|
|
expect_rejected -C outer-repo/bare-repo
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'safe.bareRepository on the command line' '
|
|
|
|
test_config_global safe.bareRepository explicit &&
|
|
|
|
expect_accepted -C outer-repo/bare-repo \
|
|
|
|
-c safe.bareRepository=all
|
|
|
|
'
|
|
|
|
|
2022-10-14 01:43:47 +08:00
|
|
|
test_expect_success 'safe.bareRepository in included file' '
|
|
|
|
cat >gitconfig-include <<-\EOF &&
|
|
|
|
[safe]
|
|
|
|
bareRepository = explicit
|
|
|
|
EOF
|
|
|
|
git config --global --add include.path "$(pwd)/gitconfig-include" &&
|
|
|
|
expect_rejected -C outer-repo/bare-repo
|
|
|
|
'
|
|
|
|
|
setup.c: create `safe.bareRepository`
There is a known social engineering attack that takes advantage of the
fact that a working tree can include an entire bare repository,
including a config file. A user could run a Git command inside the bare
repository thinking that the config file of the 'outer' repository would
be used, but in reality, the bare repository's config file (which is
attacker-controlled) is used, which may result in arbitrary code
execution. See [1] for a fuller description and deeper discussion.
A simple mitigation is to forbid bare repositories unless specified via
`--git-dir` or `GIT_DIR`. In environments that don't use bare
repositories, this would be minimally disruptive.
Create a config variable, `safe.bareRepository`, that tells Git whether
or not to die() when working with a bare repository. This config is an
enum of:
- "all": allow all bare repositories (this is the default)
- "explicit": only allow bare repositories specified via --git-dir
or GIT_DIR.
If we want to protect users from such attacks by default, neither value
will suffice - "all" provides no protection, but "explicit" is
impractical for bare repository users. A more usable default would be to
allow only non-embedded bare repositories ([2] contains one such
proposal), but detecting if a repository is embedded is potentially
non-trivial, so this work is not implemented in this series.
[1]: https://lore.kernel.org/git/kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com
[2]: https://lore.kernel.org/git/5b969c5e-e802-c447-ad25-6acc0b784582@github.com
Signed-off-by: Glen Choo <chooglen@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2022-07-15 05:28:01 +08:00
|
|
|
test_done
|