set safe.directory when getting config for git-annex-shell or git remotes
Fix more breakage caused by git's fix for CVE-2022-24765, this time involving a remote (either local or ssh) that is a repository not owned by the current user. Sponsored-by: Dartmouth College's DANDI project
This commit is contained in:
parent
32cb2bd3fa
commit
cbfd214993
10 changed files with 75 additions and 4 deletions
|
@ -42,3 +42,5 @@ so, ideally `git annex enableremote` should provide a similar diagnostic output
|
|||
[[!tag projects/dandi]]
|
||||
|
||||
```
|
||||
|
||||
> [[fixed|done]] --[[Joey]]
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
[[!comment format=mdwn
|
||||
username="joey"
|
||||
subject="""comment 1"""
|
||||
date="2023-09-07T17:01:41Z"
|
||||
content="""
|
||||
I wonder if it even makes sense for git-annex-shell to replicate this git
|
||||
security check, or would it be better for it to instruct git to trust the
|
||||
repository, so it can be used on it?
|
||||
|
||||
git's CVE-2022-24765 involves a malicious creation of a .git repository
|
||||
above the victim's cwd, with a .git/config that causes things like eg shell
|
||||
prompts that run git to execute attacker-controlled commands.
|
||||
|
||||
git-annex-shell commands all take the directory that the repository is
|
||||
in, and uses that repository. So it doesn't traverse above looking for
|
||||
other .git directories.
|
||||
|
||||
And, `git clone` will happily clone a remote repsository that's owned
|
||||
by another user, including over ssh. And pull and push etc work with such a
|
||||
remote. So git-annex-shell should too.
|
||||
|
||||
(For that matter, other git-annex-shell commands do work, it's only the
|
||||
command that reads the git config that fails to work.)
|
||||
"""]]
|
|
@ -0,0 +1,13 @@
|
|||
[[!comment format=mdwn
|
||||
username="joey"
|
||||
subject="""comment 2"""
|
||||
date="2023-09-07T18:21:30Z"
|
||||
content="""
|
||||
Closely related, when a local repo is owned by someone else, cloning it and
|
||||
using it as a git-annex remote also fails, at the same config listing
|
||||
stage.
|
||||
|
||||
I think the same reasoning applies to that, the path to the repo is
|
||||
explicitly specified in the remote url, so it should treat it as a safe
|
||||
repo for the purposes of listing its config.
|
||||
"""]]
|
|
@ -0,0 +1,8 @@
|
|||
[[!comment format=mdwn
|
||||
username="joey"
|
||||
subject="""comment 3"""
|
||||
date="2023-09-07T18:32:57Z"
|
||||
content="""
|
||||
Basically the same fix works for both the ssh remote and the local
|
||||
remote cases.
|
||||
"""]]
|
Loading…
Add table
Add a link
Reference in a new issue