exclude: do not respect symlinks for in-tree .gitignore

As with .gitattributes, we would like to make sure that .gitignore files
are handled consistently whether read from the index or from the
filesystem. Likewise, we would like to avoid reading out-of-tree files
pointed to by the symlinks, which could have security implications in
certain setups.

We can cover both by using open_nofollow() when opening the in-tree
files. We'll continue to follow links for core.excludesFile, as well as
$GIT_DIR/info/exclude.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Jeff King 2021-02-16 09:44:34 -05:00 committed by Junio C Hamano
parent 2ef579e261
commit feb9b7792f
2 changed files with 44 additions and 2 deletions

10
dir.c
View File

@ -1035,6 +1035,9 @@ static int add_patterns_from_buffer(char *buf, size_t size,
const char *base, int baselen, const char *base, int baselen,
struct pattern_list *pl); struct pattern_list *pl);
/* Flags for add_patterns() */
#define PATTERN_NOFOLLOW (1<<0)
/* /*
* Given a file with name "fname", read it (either from disk, or from * Given a file with name "fname", read it (either from disk, or from
* an index if 'istate' is non-null), parse it and store the * an index if 'istate' is non-null), parse it and store the
@ -1054,7 +1057,11 @@ static int add_patterns(const char *fname, const char *base, int baselen,
size_t size = 0; size_t size = 0;
char *buf; char *buf;
if (flags & PATTERN_NOFOLLOW)
fd = open_nofollow(fname, O_RDONLY);
else
fd = open(fname, O_RDONLY); fd = open(fname, O_RDONLY);
if (fd < 0 || fstat(fd, &st) < 0) { if (fd < 0 || fstat(fd, &st) < 0) {
if (fd < 0) if (fd < 0)
warn_on_fopen_errors(fname); warn_on_fopen_errors(fname);
@ -1558,7 +1565,8 @@ static void prep_exclude(struct dir_struct *dir,
strbuf_addbuf(&sb, &dir->basebuf); strbuf_addbuf(&sb, &dir->basebuf);
strbuf_addstr(&sb, dir->exclude_per_dir); strbuf_addstr(&sb, dir->exclude_per_dir);
pl->src = strbuf_detach(&sb, NULL); pl->src = strbuf_detach(&sb, NULL);
add_patterns(pl->src, pl->src, stk->baselen, pl, istate, 0, add_patterns(pl->src, pl->src, stk->baselen, pl, istate,
PATTERN_NOFOLLOW,
untracked ? &oid_stat : NULL); untracked ? &oid_stat : NULL);
} }
/* /*

View File

@ -865,4 +865,38 @@ test_expect_success 'info/exclude trumps core.excludesfile' '
test_cmp expect actual test_cmp expect actual
' '
test_expect_success SYMLINKS 'set up ignore file for symlink tests' '
echo "*" >ignore &&
rm -f .gitignore .git/info/exclude
'
test_expect_success SYMLINKS 'symlinks respected in core.excludesFile' '
test_when_finished "rm symlink" &&
ln -s ignore symlink &&
test_config core.excludesFile "$(pwd)/symlink" &&
echo file >expect &&
git check-ignore file >actual 2>err &&
test_cmp expect actual &&
test_must_be_empty err
'
test_expect_success SYMLINKS 'symlinks respected in info/exclude' '
test_when_finished "rm .git/info/exclude" &&
ln -s ../../ignore .git/info/exclude &&
echo file >expect &&
git check-ignore file >actual 2>err &&
test_cmp expect actual &&
test_must_be_empty err
'
test_expect_success SYMLINKS 'symlinks not respected in-tree' '
test_when_finished "rm .gitignore" &&
ln -s ignore .gitignore &&
mkdir subdir &&
ln -s ignore subdir/.gitignore &&
test_must_fail git check-ignore subdir/file >actual 2>err &&
test_must_be_empty actual &&
test_i18ngrep "unable to access.*gitignore" err
'
test_done test_done