git-commit-vandalism/t/t0035-safe-bare-repository.sh

#!/bin/sh

test_description='verify safe.bareRepository checks'

TEST_PASSES_SANITIZE_LEAK=true
. ./test-lib.sh

pwd="$(pwd)"

expect_accepted () {
	git "$@" rev-parse --git-dir
}

expect_rejected () {
	test_must_fail git "$@" rev-parse --git-dir 2>err &&
	grep -F "cannot use bare repository" err
}

test_expect_success 'setup bare repo in worktree' '
	git init outer-repo &&
	git init --bare outer-repo/bare-repo
'

test_expect_success 'safe.bareRepository unset' '
	expect_accepted -C outer-repo/bare-repo
'

test_expect_success 'safe.bareRepository=all' '
	test_config_global safe.bareRepository all &&
	expect_accepted -C outer-repo/bare-repo
'

test_expect_success 'safe.bareRepository=explicit' '
	test_config_global safe.bareRepository explicit &&
	expect_rejected -C outer-repo/bare-repo
'

test_expect_success 'safe.bareRepository in the repository' '
	# safe.bareRepository must not be "explicit", otherwise
	# git config fails with "fatal: not in a git directory" (like
	# safe.directory)
	test_config -C outer-repo/bare-repo safe.bareRepository \
		all &&
	test_config_global safe.bareRepository explicit &&
	expect_rejected -C outer-repo/bare-repo
'

test_expect_success 'safe.bareRepository on the command line' '
	test_config_global safe.bareRepository explicit &&
	expect_accepted -C outer-repo/bare-repo \
		-c safe.bareRepository=all
'

test_expect_success 'safe.bareRepository in included file' '
	cat >gitconfig-include <<-\EOF &&
	[safe]
		bareRepository = explicit
	EOF
	git config --global --add include.path "$(pwd)/gitconfig-include" &&
	expect_rejected -C outer-repo/bare-repo
'

test_done
setup.c: create `safe.bareRepository` There is a known social engineering attack that takes advantage of the fact that a working tree can include an entire bare repository, including a config file. A user could run a Git command inside the bare repository thinking that the config file of the 'outer' repository would be used, but in reality, the bare repository's config file (which is attacker-controlled) is used, which may result in arbitrary code execution. See [1] for a fuller description and deeper discussion. A simple mitigation is to forbid bare repositories unless specified via `--git-dir` or `GIT_DIR`. In environments that don't use bare repositories, this would be minimally disruptive. Create a config variable, `safe.bareRepository`, that tells Git whether or not to die() when working with a bare repository. This config is an enum of: - "all": allow all bare repositories (this is the default) - "explicit": only allow bare repositories specified via --git-dir or GIT_DIR. If we want to protect users from such attacks by default, neither value will suffice - "all" provides no protection, but "explicit" is impractical for bare repository users. A more usable default would be to allow only non-embedded bare repositories ([2] contains one such proposal), but detecting if a repository is embedded is potentially non-trivial, so this work is not implemented in this series. [1]: https://lore.kernel.org/git/kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com [2]: https://lore.kernel.org/git/5b969c5e-e802-c447-ad25-6acc0b784582@github.com Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-14 23:28:01 +02:00			`#!/bin/sh`

			`test_description='verify safe.bareRepository checks'`

			`TEST_PASSES_SANITIZE_LEAK=true`
			`. ./test-lib.sh`

			`pwd="$(pwd)"`

			`expect_accepted () {`
			`git "$@" rev-parse --git-dir`
			`}`

			`expect_rejected () {`
			`test_must_fail git "$@" rev-parse --git-dir 2>err &&`
			`grep -F "cannot use bare repository" err`
			`}`

			`test_expect_success 'setup bare repo in worktree' '`
			`git init outer-repo &&`
			`git init --bare outer-repo/bare-repo`
			`'`

			`test_expect_success 'safe.bareRepository unset' '`
			`expect_accepted -C outer-repo/bare-repo`
			`'`

			`test_expect_success 'safe.bareRepository=all' '`
			`test_config_global safe.bareRepository all &&`
			`expect_accepted -C outer-repo/bare-repo`
			`'`

			`test_expect_success 'safe.bareRepository=explicit' '`
			`test_config_global safe.bareRepository explicit &&`
			`expect_rejected -C outer-repo/bare-repo`
			`'`

			`test_expect_success 'safe.bareRepository in the repository' '`
			`# safe.bareRepository must not be "explicit", otherwise`
			`# git config fails with "fatal: not in a git directory" (like`
			`# safe.directory)`
			`test_config -C outer-repo/bare-repo safe.bareRepository \`
			`all &&`
			`test_config_global safe.bareRepository explicit &&`
			`expect_rejected -C outer-repo/bare-repo`
			`'`

			`test_expect_success 'safe.bareRepository on the command line' '`
			`test_config_global safe.bareRepository explicit &&`
			`expect_accepted -C outer-repo/bare-repo \`
			`-c safe.bareRepository=all`
			`'`

config: respect includes in protected config Protected config is implemented by reading a fixed set of paths, which ignores config [include]-s. Replace this implementation with a call to config_with_options(), which handles [include]-s and saves us from duplicating the logic of 1) identifying which paths to read and 2) reading command line config. As a result, git_configset_add_parameters() is unused, so remove it. It was introduced alongside protected config in 5b3c650777 (config: learn `git_protected_config()`, 2022-07-14) as a way to handle command line config. Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-10-13 19:43:47 +02:00			`test_expect_success 'safe.bareRepository in included file' '`
			`cat >gitconfig-include <<-\EOF &&`
			`[safe]`
			`bareRepository = explicit`
			`EOF`
			`git config --global --add include.path "$(pwd)/gitconfig-include" &&`
			`expect_rejected -C outer-repo/bare-repo`
			`'`

setup.c: create `safe.bareRepository` There is a known social engineering attack that takes advantage of the fact that a working tree can include an entire bare repository, including a config file. A user could run a Git command inside the bare repository thinking that the config file of the 'outer' repository would be used, but in reality, the bare repository's config file (which is attacker-controlled) is used, which may result in arbitrary code execution. See [1] for a fuller description and deeper discussion. A simple mitigation is to forbid bare repositories unless specified via `--git-dir` or `GIT_DIR`. In environments that don't use bare repositories, this would be minimally disruptive. Create a config variable, `safe.bareRepository`, that tells Git whether or not to die() when working with a bare repository. This config is an enum of: - "all": allow all bare repositories (this is the default) - "explicit": only allow bare repositories specified via --git-dir or GIT_DIR. If we want to protect users from such attacks by default, neither value will suffice - "all" provides no protection, but "explicit" is impractical for bare repository users. A more usable default would be to allow only non-embedded bare repositories ([2] contains one such proposal), but detecting if a repository is embedded is potentially non-trivial, so this work is not implemented in this series. [1]: https://lore.kernel.org/git/kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com [2]: https://lore.kernel.org/git/5b969c5e-e802-c447-ad25-6acc0b784582@github.com Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-07-14 23:28:01 +02:00			`test_done`