diff options
| author | Kyle Lippincott <spectral@google.com> | 2024-01-20 01:08:22 +0100 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2024-01-20 23:11:49 +0100 |
| commit | 45bb91624804d3e3a70cfc1ba0eae5577f81fc38 (patch) | |
| tree | 318b9e0ddad9816c8548b55fc049b22fe5e9b6eb /setup.c | |
| parent | Git 2.43 (diff) | |
| download | git-45bb91624804d3e3a70cfc1ba0eae5577f81fc38.tar.xz git-45bb91624804d3e3a70cfc1ba0eae5577f81fc38.zip | |
setup: allow cwd=.git w/ bareRepository=explicit
The safe.bareRepository setting can be set to 'explicit' to disallow
implicit uses of bare repositories, preventing an attack [1] where an
artificial and malicious bare repository is embedded in another git
repository. Unfortunately, some tooling uses myrepo/.git/ as the cwd
when executing commands, and this is blocked when
safe.bareRepository=explicit. Blocking is unnecessary, as git already
prevents nested .git directories.
Teach git to not reject uses of git inside of the .git directory: check
if cwd is .git (or a subdirectory of it) and allow it even if
safe.bareRepository=explicit.
[1] https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md
Signed-off-by: Kyle Lippincott <spectral@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'setup.c')
| -rw-r--r-- | setup.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -1359,7 +1359,8 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, if (is_git_directory(dir->buf)) { trace2_data_string("setup", NULL, "implicit-bare-repository", dir->buf); - if (get_allowed_bare_repo() == ALLOWED_BARE_REPO_EXPLICIT) + if (get_allowed_bare_repo() == ALLOWED_BARE_REPO_EXPLICIT && + !ends_with_path_components(dir->buf, ".git")) return GIT_DIR_DISALLOWED_BARE; if (!ensure_valid_ownership(NULL, NULL, dir->buf, report)) return GIT_DIR_INVALID_OWNERSHIP; |