From: Michael McClimon <michael@mcclimon.org>
To: git@vger.kernel.org
Cc: Michael McClimon <michael@mcclimon.org>
Subject: [PATCH v2 2/2] setup: allow Git.pm to do unsafe repo checking
Date: Fri, 21 Oct 2022 21:19:32 -0400 [thread overview]
Message-ID: <20221022011931.43992-3-michael@mcclimon.org> (raw)
In-Reply-To: <20221022011931.43992-1-michael@mcclimon.org>
The previous commit exposes a security flaw: it is possible to bypass
unsafe repository checks by using Git.pm, where before the syntax error
accidentally prohibited it. This problem occurs because Git.pm sets
GIT_DIR explicitly, which bypasses the safe repository checks.
Fix this by introducing a new environment variable,
GIT_PERL_FORCE_OWNERSHIP_CHECK, which we set true in Git.pm. In setup.c,
if that environment variable is true, force ownership checks even if
an explicit GIT_DIR is provided.
Signed-off-by: Michael McClimon <michael@mcclimon.org>
---
perl/Git.pm | 1 +
setup.c | 3 +++
t/t9700-perl-git.sh | 4 ++++
t/t9700/test.pl | 18 ++++++++++++++++++
4 files changed, 26 insertions(+)
diff --git a/perl/Git.pm b/perl/Git.pm
index cf15ead6..002c29bb 100644
--- a/perl/Git.pm
+++ b/perl/Git.pm
@@ -1674,6 +1674,7 @@ sub _cmd_exec {
sub _setup_git_cmd_env {
my $self = shift;
if ($self) {
+ $ENV{GIT_PERL_FORCE_OWNERSHIP_CHECK} = 1;
$self->repo_path() and $ENV{'GIT_DIR'} = $self->repo_path();
$self->repo_path() and $self->wc_path()
and $ENV{'GIT_WORK_TREE'} = $self->wc_path();
diff --git a/setup.c b/setup.c
index cefd5f63..33d4e6fd 100644
--- a/setup.c
+++ b/setup.c
@@ -1250,6 +1250,9 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir,
*/
gitdirenv = getenv(GIT_DIR_ENVIRONMENT);
if (gitdirenv) {
+ if (git_env_bool("GIT_PERL_FORCE_OWNERSHIP_CHECK", 0) &&
+ !ensure_valid_ownership(NULL, NULL, gitdirenv, report))
+ return GIT_DIR_INVALID_OWNERSHIP;
strbuf_addstr(gitdir, gitdirenv);
return GIT_DIR_EXPLICIT;
}
diff --git a/t/t9700-perl-git.sh b/t/t9700-perl-git.sh
index 4aa5d90d..b14a40b1 100755
--- a/t/t9700-perl-git.sh
+++ b/t/t9700-perl-git.sh
@@ -45,6 +45,10 @@ test_expect_success \
git config --add test.pathmulti bar
'
+test_expect_success 'set up bare repository' '
+ git init --bare bare.git
+'
+
test_expect_success 'use t9700/test.pl to test Git.pm' '
"$PERL_PATH" "$TEST_DIRECTORY"/t9700/test.pl 2>stderr &&
test_must_be_empty stderr
diff --git a/t/t9700/test.pl b/t/t9700/test.pl
index e046f7db..1c91019f 100755
--- a/t/t9700/test.pl
+++ b/t/t9700/test.pl
@@ -142,6 +142,24 @@ sub adjust_dirsep {
"abc\"\\ \x07\x08\x09\x0a\x0b\x0c\x0d\x01 ",
'unquote escape sequences');
+# safe directory
+{
+ local $ENV{GIT_TEST_ASSUME_DIFFERENT_OWNER} = 1;
+ # Save stderr to a tempfile so we can check the contents
+ open our $tmpstderr2, ">&STDERR" or die "cannot save STDERR";
+ my $tmperr = "unsafeerr.tmp";
+ open STDERR, ">", "$tmperr" or die "cannot redirect STDERR to $tmperr";
+ my $failed = eval { Git->repository(Directory => "$abs_repo_dir/bare.git") };
+ ok(!$failed, "reject unsafe repository");
+ like($@, qr/not a git repository/i, "unsafe error message");
+ open TEMPFILE, "<", "$tmperr" or die "Can't open $tmperr $!";
+ my $errcontents;
+ { local $/; $errcontents = <TEMPFILE>; }
+ like($errcontents, qr/dubious ownership/, "dubious ownership message");
+ close STDERR or die "cannot close temp stderr";
+ open STDERR, ">&", $tmpstderr2 or die "cannot restore STDERR";
+}
+
printf "1..%d\n", Test::More->builder->current_test;
my $is_passing = eval { Test::More->is_passing };
--
2.38.1.130.g45c9f05c
next prev parent reply other threads:[~2022-10-22 1:20 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-16 21:22 [PATCH 0/1] Git.pm: add semicolon after catch statement Michael McClimon
2022-10-16 21:22 ` [PATCH 1/1] " Michael McClimon
2022-10-16 23:18 ` Jeff King
2022-10-17 2:17 ` Michael McClimon
2022-10-17 17:34 ` Jeff King
2022-10-18 1:39 ` Michael McClimon
2022-11-10 15:10 ` Johannes Schindelin
2022-11-10 21:41 ` Jeff King
2022-10-22 1:19 ` [PATCH v2 0/2] Fix behavior of Git.pm in unsafe bare repositories Michael McClimon
2022-10-22 1:19 ` [PATCH v2 1/2] Git.pm: add semicolon after catch statement Michael McClimon
2022-10-22 1:19 ` Michael McClimon [this message]
2022-10-22 5:29 ` [PATCH v2 2/2] setup: allow Git.pm to do unsafe repo checking Junio C Hamano
2022-10-22 21:18 ` Jeff King
2022-10-22 23:17 ` Junio C Hamano
2022-10-22 19:45 ` Ævar Arnfjörð Bjarmason
2022-10-22 20:55 ` Jeff King
2022-10-24 10:57 ` Ævar Arnfjörð Bjarmason
2022-10-24 23:38 ` Jeff King
2022-10-22 21:16 ` Jeff King
2022-10-22 22:08 ` Jeff King
2022-10-22 23:19 ` Michael McClimon
2022-10-24 23:33 ` Jeff King
2022-10-22 23:14 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221022011931.43992-3-michael@mcclimon.org \
--to=michael@mcclimon.org \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).