handle comutations in subdirs of the git repository

Eg, a computation might be run in "foo/" and refer to "../bar" as an
input or output.

So, the subdir is part of the computation state.

Also, prevent input or output of files that are outside the git
repository. Of course, the program can access any file on disk if it
wants to; this is just a guard against mistakes. And it may also be
useful if the program comunicates with something less trusted than it,
eg a container image, so input/output files communicated by that are not
the source of security problems.
This commit is contained in:
Joey Hess 2025-02-25 15:08:38 -04:00
parent ce05a92ee7
commit 2e1fe1620e
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
4 changed files with 81 additions and 39 deletions

View file

@ -26,7 +26,9 @@ For security, the program should avoid exposing user input to the shell
unprotected, or otherwise executing it.
The program is run in a temporary directory, which will be cleaned up after
it exits.
it exits. Note that it may be run in a subdirectory of its temporary
directory. Eg, when `git-annex addcomputed` is run in a `foo/bar/`
subdirectory of the git repository.
The content of any annexed file in the repository can be an input
to the computation. The program requests an input by writing a line to
@ -93,10 +95,10 @@ An example `git-annex-compute-foo` shell script follows:
echo "Usage: convert input output [passes=n]" >&2
exit 1
fi
if [ -z "$ANNEX_COMPUTE_passes" ];
if [ -z "$ANNEX_COMPUTE_passes" ]; then
ANNEX_COMPUTE_passes=1
fi
echo "INPUT "$2"
echo "INPUT $2"
read input
echo "OUTPUT $3"
echo REPRODUCIBLE