skip checkRepoConfigInaccessible when git directory specified explicitly

Fix a reversion that prevented git-annex from working in a repository when --git-dir or GIT_DIR is specified to relocate the git directory to somewhere else. (Introduced in version 10.20220525) checkRepoConfigInaccessible could still run git config --list, just passing --git-dir. It seems not necessary, because I know that passing --git-dir bypasses git's check for repo ownership. I suppose it might be that git eventually changes to check something about the ownership of the working tree, so passing --git-dir without --work-tree would still be worth doing. But for now this is the simple fix. Sponsored-by: Nicholas Golder-Manning on Patreon
2022-09-20 14:52:43 -04:00 · 2022-09-20 14:52:43 -04:00 · 8d26fdd670
commit 8d26fdd670
parent d1467a9b8e
6 changed files with 61 additions and 17 deletions
--- a/4
+++ b/4
@ -23,6 +23,10 @@ git-annex (10.20220823) UNRELEASED; urgency=medium
    that it had changed, due to only accepting the inode+mtime of one file
    (that was since modified or deleted) and not accepting the inode+mtime
    of other duplicate files.
+  * Fix a reversion that prevented git-annex from working in a
+    repository when --git-dir or GIT_DIR is specified to relocate the git
+    directory to somewhere else.
+    (Introduced in version 10.20220525)

 -- Joey Hess <id@joeyh.name>  Mon, 29 Aug 2022 15:03:04 -0400

--- a/Git/Config.hs
+++ b/Git/Config.hs
@ -282,16 +282,20 @@ unset ck@(ConfigKey k) r = ifM (Git.Command.runBool ps r)
 - repo.
 -}
 checkRepoConfigInaccessible :: Repo -> IO Bool
-checkRepoConfigInaccessible r = do
-	-- Cannot use gitCommandLine here because specifying --git-dir
-	-- will bypass the git security check.
-	let p = (proc "git" ["config", "--local", "--list"])
-		{ cwd = Just (fromRawFilePath (repoPath r))
-		, env = gitEnv r
-		}
-	(out, ok) <- processTranscript' p Nothing
-	if not ok
-		then do
-			debug (DebugSource "Git.Config") ("config output: " ++ out)
-			return True
-		else return False
+checkRepoConfigInaccessible r
+	-- When --git-dir or GIT_DIR is used to specify the git
+	-- directory, git does not check for CVE-2022-24765.
+	| gitDirSpecifiedExplicitly r = return False
+	| otherwise = do
+		-- Cannot use gitCommandLine here because specifying --git-dir
+		-- will bypass the git security check.
+		let p = (proc "git" ["config", "--local", "--list"])
+			{ cwd = Just (fromRawFilePath (repoPath r))
+			, env = gitEnv r
+			}
+		(out, ok) <- processTranscript' p Nothing
+		if not ok
+			then do
+				debug (DebugSource "Git.Config") ("config output: " ++ out)
+				return True
+			else return False
--- a/Git/Construct.hs
+++ b/Git/Construct.hs
@ -277,5 +277,6 @@ newFrom l = Repo
 	, gitEnv = Nothing
 	, gitEnvOverridesGitDir = False
 	, gitGlobalOpts = []
+	, gitDirSpecifiedExplicitly = False
 	}

--- a/Git/CurrentRepo.hs
+++ b/Git/CurrentRepo.hs
@ -1,6 +1,6 @@
 {- The current git repository.
 -
- - Copyright 2012-2020 Joey Hess <id@joeyh.name>
+ - Copyright 2012-2022 Joey Hess <id@joeyh.name>
 -
 - Licensed under the GNU AGPL version 3 or higher.
 -}
@ -80,9 +80,10 @@ get = do
 			, worktree = Just curr
 			}
 		r <- Git.Config.read $ newFrom loc
-		return $ if Git.Config.isBare r
-			then r { location = (location r) { worktree = Nothing } }
-			else r
+		let r' = r { gitDirSpecifiedExplicitly = True }
+		return $ if Git.Config.isBare r'
+			then r' { location = (location r) { worktree = Nothing } }
+			else r'
 	configure Nothing Nothing = giveup "Not in a git repository."

 	addworktree w r = changelocation r $ Local
--- a/Git/Types.hs
+++ b/Git/Types.hs
@ -51,6 +51,8 @@ data Repo = Repo
 	, gitEnvOverridesGitDir :: Bool
 	-- global options to pass to git when running git commands
 	, gitGlobalOpts :: [CommandParam]
+	-- True only when --git-dir or GIT_DIR was used
+	, gitDirSpecifiedExplicitly :: Bool
 	} deriving (Show, Eq, Ord)

 newtype ConfigKey = ConfigKey S.ByteString
--- a/doc/bugs/When_--git-dir_is_not_in_--work-tree.mdwn
+++ b/doc/bugs/When_--git-dir_is_not_in_--work-tree.mdwn
@ -18,3 +18,35 @@ Simple test case:

        failed

+And --debug shows:
+
+	[2022-09-20 14:17:56.238686901] (Utility.Process) process [1284622] read: git ["config","--local","--list"]
+	[2022-09-20 14:17:56.240836887] (Utility.Process) process [1284622] done ExitFailure 128
+	[2022-09-20 14:17:56.24107763] (Git.Config) config output: fatal: --local can only be used inside a git repository
+
+So passing --git-dir to that command will make it succeeed. The problem
+though is that passing --git-dir to that command also bypasses git's
+fix for CVE-2022-24765. The command would even succeed if the directory
+were owned by someone else then.
+
+	joey@darkstar:/tmp/foo>sudo chown -R root.root .
+	[sudo] password for joey:
+	joey@darkstar:/tmp/foo>git --git-dir=`pwd`/.dotfiles config --local --list
+	core.repositoryformatversion=0
+	core.filemode=true
+	core.bare=false
+	core.logallrefupdates=true
+	core.worktree=/tmp/foo
+	joey@darkstar:/tmp/foo>git config --local --list
+	fatal: --local can only be used inside a git repository
+
+But, if the user runs git-annex with an explicit --git-dir,
+it's actually ok for git-annex to bypass the CVE-2022-24765 check.
+Because --git-dir actually bypasses that check.
+
+So, the fix for this seems like it will involve it remembering
+when the git repo was originally specified using --git-dir (or `GIT_DIR`),
+and if so, guardSafeToUseRepo can skip the check, or pass --git-dir to
+`git config --local --list`.
+
+> [[fixed|done]] --[[Joey]]