autoenable security for compute special remote

Added annex.security.autoenable-compute-programs and only allow
autoenabling special remotes that use compute programs on that list.

The reason this is needed is a user might have some compute programs
that are less safe to use than others. They might want to use an unsafe
one only with one repository, where they are the only committer or other
committers are trusted. They might be ok with others being used by any
repository, and if so they can add them to the list.

Another reason would be a user who has installed a compute program by
accident. Eg, it might be included with git-annex at some point, or
pulled in by some dependency. That user doesn't necessarily want that
compute program to be used in an autoenabled special remote.
This commit is contained in:
Joey Hess 2025-03-03 15:47:09 -04:00
parent 89bfeada87
commit f32d2aecce
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
6 changed files with 36 additions and 7 deletions

View file

@ -23,6 +23,7 @@ module Remote.Compute (
) where
import Annex.Common
import qualified Annex
import Types.Remote
import Types.ProposedAccepted
import Types.MetaData
@ -118,8 +119,23 @@ gen r u rc gc rs = case getComputeProgram' rc of
}
setupInstance :: SetupStage -> Maybe UUID -> Maybe CredPair -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, UUID)
setupInstance _ mu _ c _ = do
setupInstance ss mu _ c _ = do
ComputeProgram program <- either giveup return $ getComputeProgram' c
case ss of
AutoEnable _ -> do
l <- maybe [] words
. annexAutoEnableComputePrograms
<$> Annex.getGitConfig
unless (program `elem` l) $ do
let remotename = fromMaybe "(unknown)" (lookupName c)
giveup $ unwords
[ "Not auto-enabling compute special remote"
, remotename
, "because its compute program"
, program
, " is not listed in annex.security.autoenable-compute-programs"
]
_ -> noop
unlessM (liftIO $ inSearchPath program) $
giveup $ "Cannot find " ++ program ++ " in PATH"
u <- maybe (liftIO genUUID) return mu

View file

@ -3,8 +3,6 @@
* get input files for a computation (so `git-annex get .` gets every file,
even when input files in a directory are processed after computed files)
* autoinit security
* addcomputed should honor annex.addunlocked.
* Perhaps recompute should write a new version of a file as an unlocked

View file

@ -146,6 +146,7 @@ data GitConfig = GitConfig
, annexAllowedUrlSchemes :: S.Set Scheme
, annexAllowedIPAddresses :: String
, annexAllowUnverifiedDownloads :: Bool
, annexAutoEnableComputePrograms :: Maybe String
, annexMaxExtensionLength :: Maybe Int
, annexMaxExtensions :: Maybe Int
, annexJobs :: Concurrency
@ -261,6 +262,8 @@ extractGitConfig configsource r = GitConfig
getmaybe (annexConfig "security.allowed-http-addresses") -- old name
, annexAllowUnverifiedDownloads = (== Just "ACKTHPPT") $
getmaybe (annexConfig "security.allow-unverified-downloads")
, annexAutoEnableComputePrograms =
getmaybe (annexConfig "security.autoenable-compute-programs")
, annexMaxExtensionLength = getmayberead (annexConfig "maxextensionlength")
, annexMaxExtensions = getmayberead (annexConfig "maxextensions")
, annexJobs = fromMaybe NonConcurrent $

View file

@ -26,13 +26,12 @@ For security, the program should avoid exposing user input to the shell
unprotected, or otherwise executing it.
The program is run in a temporary directory, which will be cleaned up after
it exits. Note that it may be run in a subdirectory of its temporary
it exits. Note that it may be run in a subdirectory of a temporary
directory. This is done when `git-annex addcomputed` was run in a subdirectory
of the git repository.
The content of any annexed file in the repository can be an input
to the computation. The program requests an input by writing a line to
stdout:
The content of any file in the repository can be an input to the
computation. The program requests an input by writing a line to stdout:
INPUT file.raw

View file

@ -2201,6 +2201,13 @@ Remotes are configured using these settings in `.git/config`.
Per-remote configuration of annex.security.allow-unverified-downloads.
* `annex.security.autoenable-compute-programs`
This is a space separated list of compute programs eg
"git-annex-compute-foo git-annex-compute-bar". Listing a compute
program here allows compute special remotes that use that program to be
autoenabled.
# CONFIGURATION OF ASSISTANT
* `annex.delayadd`

View file

@ -15,6 +15,12 @@ program to use to compute the contents of annexed files. It must start with
"git-annex-compute-". The program needs to be installed somewhere in the
`PATH`.
The `autoenable` parameter can be set to "true" like with other special
remotes to make git-annex automatically enable this special remote when
run in a new clone of the repository. However, for security, autoenabling
is only done when the git config `annex.security.autoenable-compute-programs`
includes the name of the compute program.
All other "field=value" parameters passed to `initremote` will be passed
to the program when running [[git-annex-addcomputed]]. Note that when the
program takes a dashed option, it can be provided after "--":