autoenable security for compute special remote

Added annex.security.autoenable-compute-programs and only allow autoenabling special remotes that use compute programs on that list. The reason this is needed is a user might have some compute programs that are less safe to use than others. They might want to use an unsafe one only with one repository, where they are the only committer or other committers are trusted. They might be ok with others being used by any repository, and if so they can add them to the list. Another reason would be a user who has installed a compute program by accident. Eg, it might be included with git-annex at some point, or pulled in by some dependency. That user doesn't necessarily want that compute program to be used in an autoenabled special remote.
2025-03-03 15:47:09 -04:00 · 2025-03-03 15:47:09 -04:00 · f32d2aecce
commit f32d2aecce
parent 89bfeada87
6 changed files with 36 additions and 7 deletions
--- a/Remote/Compute.hs
+++ b/Remote/Compute.hs
@ -23,6 +23,7 @@ module Remote.Compute (
 ) where

 import Annex.Common
+import qualified Annex
 import Types.Remote
 import Types.ProposedAccepted
 import Types.MetaData
@ -118,8 +119,23 @@ gen r u rc gc rs = case getComputeProgram' rc of
 		}

 setupInstance :: SetupStage -> Maybe UUID -> Maybe CredPair -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, UUID)
-setupInstance _ mu _ c _ = do
+setupInstance ss mu _ c _ = do
 	ComputeProgram program <- either giveup return $ getComputeProgram' c
+	case ss of
+		AutoEnable _ -> do
+			l <- maybe [] words 
+				. annexAutoEnableComputePrograms
+				<$> Annex.getGitConfig
+			unless (program `elem` l) $ do
+				let remotename = fromMaybe "(unknown)" (lookupName c)
+				giveup $ unwords
+					[ "Not auto-enabling compute special remote"
+					, remotename
+					, "because its compute program"
+					, program
+					, " is not listed in annex.security.autoenable-compute-programs"
+					]
+		_ -> noop
 	unlessM (liftIO $ inSearchPath program) $
 		giveup $ "Cannot find " ++ program ++ " in PATH"
 	u <- maybe (liftIO genUUID) return mu
--- a/2
+++ b/2
@ -3,8 +3,6 @@
 * get input files for a computation (so `git-annex get .` gets every file,
  even when input files in a directory are processed after computed files)

-* autoinit security
-
 * addcomputed should honor annex.addunlocked.

 * Perhaps recompute should write a new version of a file as an unlocked
--- a/Types/GitConfig.hs
+++ b/Types/GitConfig.hs
@ -146,6 +146,7 @@ data GitConfig = GitConfig
 	, annexAllowedUrlSchemes :: S.Set Scheme
 	, annexAllowedIPAddresses :: String
 	, annexAllowUnverifiedDownloads :: Bool
+	, annexAutoEnableComputePrograms :: Maybe String
 	, annexMaxExtensionLength :: Maybe Int
 	, annexMaxExtensions :: Maybe Int
 	, annexJobs :: Concurrency
@ -261,6 +262,8 @@ extractGitConfig configsource r = GitConfig
 		getmaybe (annexConfig "security.allowed-http-addresses") -- old name
 	, annexAllowUnverifiedDownloads = (== Just "ACKTHPPT") $
 		getmaybe (annexConfig "security.allow-unverified-downloads")
+	, annexAutoEnableComputePrograms =
+		getmaybe (annexConfig "security.autoenable-compute-programs")
 	, annexMaxExtensionLength = getmayberead (annexConfig "maxextensionlength")
 	, annexMaxExtensions = getmayberead (annexConfig "maxextensions")
 	, annexJobs = fromMaybe NonConcurrent $ 
--- a/doc/design/compute_special_remote_interface.mdwn
+++ b/doc/design/compute_special_remote_interface.mdwn
@ -26,13 +26,12 @@ For security, the program should avoid exposing user input to the shell
 unprotected, or otherwise executing it.

 The program is run in a temporary directory, which will be cleaned up after
-it exits. Note that it may be run in a subdirectory of its temporary
+it exits. Note that it may be run in a subdirectory of a temporary
 directory. This is done when `git-annex addcomputed` was run in a subdirectory
 of the git repository.

-The content of any annexed file in the repository can be an input
-to the computation. The program requests an input by writing a line to
-stdout:
+The content of any file in the repository can be an input to the
+computation. The program requests an input by writing a line to stdout:

    INPUT file.raw

--- a/doc/git-annex.mdwn
+++ b/doc/git-annex.mdwn
@ -2201,6 +2201,13 @@ Remotes are configured using these settings in `.git/config`.

  Per-remote configuration of annex.security.allow-unverified-downloads.

+* `annex.security.autoenable-compute-programs`
+
+  This is a space separated list of compute programs eg
+  "git-annex-compute-foo git-annex-compute-bar". Listing a compute
+  program here allows compute special remotes that use that program to be
+  autoenabled.
+
 # CONFIGURATION OF ASSISTANT

 * `annex.delayadd`
--- a/doc/special_remotes/compute.mdwn
+++ b/doc/special_remotes/compute.mdwn
@ -15,6 +15,12 @@ program to use to compute the contents of annexed files. It must start with
 "git-annex-compute-". The program needs to be installed somewhere in the
 `PATH`.

+The `autoenable` parameter can be set to "true" like with other special
+remotes to make git-annex automatically enable this special remote when
+run in a new clone of the repository. However, for security, autoenabling
+is only done when the git config `annex.security.autoenable-compute-programs`
+includes the name of the compute program.
+
 All other "field=value" parameters passed to `initremote` will be passed
 to the program when running [[git-annex-addcomputed]]. Note that when the
 program takes a dashed option, it can be provided after "--":