mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b28fb93e51a94907eca9cc08eb1a2db51fe1ddc8
git/t/t0411-clone-from-partial.sh
brian m. carlson 0ffb5a6bf1 Allow cloning from repositories owned by another user 
Historically, Git has allowed users to clone from an untrusted
repository, and we have documented that this is safe to do so:

    `upload-pack` tries to avoid any dangerous configuration options or
    hooks from the repository it's serving, making it safe to clone an
    untrusted directory and run commands on the resulting clone.

However, this was broken by f4aa8c8bb1 ("fetch/clone: detect dubious
ownership of local repositories", 2024-04-10) in an attempt to make
things more secure.  That change resulted in a variety of problems when
cloning locally and over SSH, but it did not change the stated security
boundary.  Because the security boundary has not changed, it is safe to
adjust part of the code that patch introduced.

To do that and restore the previous functionality, adjust enter_repo to
take two flags instead of one.

The two bits are

 - ENTER_REPO_STRICT: callers that require exact paths (as opposed
   to allowing known suffixes like ".git", ".git/.git" to be
   omitted) can set this bit.  Corresponds to the "strict" parameter
   that the flags word replaces.

 - ENTER_REPO_ANY_OWNER_OK: callers that are willing to run without
   ownership check can set this bit.

The former is --strict-paths option of "git daemon".  The latter is
set only by upload-pack, which honors the claimed security boundary.

Note that local clones across ownership boundaries require --no-local so
that upload-pack is used.  Document this fact in the manual page and
provide an example.

This patch was based on one written by Junio C Hamano.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-11-15 11:05:06 +09:00

76 lines
2.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
test_description='check that local clone does not fetch from promisor remotes'
. ./test-lib.sh
test_expect_success 'create evil repo' '
git init tmp &&
test_commit -C tmp a &&
git -C tmp config uploadpack.allowfilter 1 &&
git clone --filter=blob:none --no-local --no-checkout tmp evil &&
rm -rf tmp &&
git -C evil config remote.origin.uploadpack \"\$TRASH_DIRECTORY/fake-upload-pack\" &&
write_script fake-upload-pack <<-\EOF &&
echo >&2 "fake-upload-pack running"
>"$TRASH_DIRECTORY/script-executed"
exit 1
EOF
export TRASH_DIRECTORY &&
# empty shallow file disables local clone optimization
>evil/.git/shallow
'
test_expect_success 'local clone must not fetch from promisor remote and execute script' '
rm -f script-executed &&
test_must_fail git clone \
--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
evil clone1 2>err &&
test_grep ! "fake-upload-pack running" err &&
test_path_is_missing script-executed
'
test_expect_success 'clone from file://... must not fetch from promisor remote and execute script' '
rm -f script-executed &&
test_must_fail git clone \
--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
"file://$(pwd)/evil" clone2 2>err &&
test_grep ! "fake-upload-pack running" err &&
test_path_is_missing script-executed
'
test_expect_success 'fetch from file://... must not fetch from promisor remote and execute script' '
rm -f script-executed &&
test_must_fail git fetch \
--upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
"file://$(pwd)/evil" 2>err &&
test_grep ! "fake-upload-pack running" err &&
test_path_is_missing script-executed
'
test_expect_success 'pack-objects should fetch from promisor remote and execute script' '
rm -f script-executed &&
echo "HEAD" | test_must_fail git -C evil pack-objects --revs --stdout >/dev/null 2>err &&
test_grep "fake-upload-pack running" err &&
test_path_is_file script-executed
'
test_expect_success 'clone from promisor remote does not lazy-fetch by default' '
rm -f script-executed &&
test_must_fail git clone evil no-lazy 2>err &&
test_grep "lazy fetching disabled" err &&
test_path_is_missing script-executed
'
test_expect_success 'promisor lazy-fetching can be re-enabled' '
rm -f script-executed &&
test_must_fail env GIT_NO_LAZY_FETCH=0 \
git clone evil lazy-ok 2>err &&
test_grep "fake-upload-pack running" err &&
test_path_is_file script-executed
'
test_done
Reference in New Issue View Git Blame Copy Permalink