Re: [PATCH 2/2] setup: make bareRepository=explicit work in GIT_DIR of a secondary worktree

public inbox for git@vger.kernel.org 
 help / color / mirror / Atom feed

From: Junio C Hamano <gitster@pobox•com>
To: git@vger•kernel.org
Cc: Kyle Lippincott <spectral@google•com>
Subject: Re: [PATCH 2/2] setup: make bareRepository=explicit work in GIT_DIR of a secondary worktree
Date: Fri, 08 Mar 2024 14:30:11 -0800	[thread overview]
Message-ID: <xmqqil1wfjbg.fsf@gitster.g> (raw)
In-Reply-To: <20240308211957.3758770-3-gitster@pobox.com> (Junio C. Hamano's message of "Fri, 8 Mar 2024 13:19:57 -0800")

Junio C Hamano <gitster@pobox•com> writes:

> In the previous commit, we created a helper function to house the
> logic that checks if a directory that looks like a bare repository
> is actually a part of a non-bare repository.  Extend the helper
> function to also check if the apparent bare-repository is a $GIT_DIR
> of a secondary worktree, by checking three things:
>
>  * The path to the $GIT_DIR must be a subdirectory of
>    ".git/worktrees/", which is the primary worktree [*].
>
>  * Such $GIT_DIR must have file "gitdir", that records the path of
>    the ".git" file that is at the root level of the secondary
>    worktree.
>
>  * That ".git" file in turn points back at the $GIT_DIR we are
>    inspecting.
>
> The latter two points are merely for checking sanity.  The security
> lies in the first requirement.
>
> Remember that a tree object with an entry whose pathname component
> is ".git" is forbidden at various levels (fsck, object transfer and
> checkout), so malicious projects cannot cause users to clone and
> checkout a crafted ".git" directory in a shell directory that
> pretends to be a working tree with that ".git" thing at its root
> level.  That is where 45bb9162 (setup: allow cwd=.git w/
> bareRepository=explicit, 2024-01-20) draws its security guarantee
> from.  And the solution for secondary worktrees in this commit draws
> its security guarantee from the same place.

I wrote the "[*]" mark but forgot to add a footnote with an
additional information for it.  Something like this was what I had
in mind to write there:

[Footnote]

 * This does not help folks who create a new worktree out of a bare
   repository, because in their set-up, there won't be "/.git/" in
   front of "worktrees" directory.  It is fundamentally impossible
   to lift this limitation, as long as safe.bareRepository is
   considered to be a meaningful security measure.  The security of
   both the loosening for a secondary worktree's GIT_DIR as well as
   the loosening for the GIT_DIR of the primary worktree, hinge on
   the fact that ".git/" directory is impossible to create as
   payload to be cloned.

next prev parent reply	other threads:[~2024-03-08 22:30 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-20  0:08 [PATCH] setup: allow cwd=.git w/ bareRepository=explicit Kyle Lippincott via GitGitGadget
2024-01-20 22:26 ` Junio C Hamano
2024-01-22 20:50   ` Kyle Lippincott
2024-03-06 17:27 ` Junio C Hamano
2024-03-08 21:19   ` [PATCH 0/2] Loosening safe.bareRepository=explicit even further Junio C Hamano
2024-03-08 21:19     ` [PATCH 1/2] setup: detect to be in $GIT_DIR with a new helper Junio C Hamano
2024-03-08 21:19     ` [PATCH 2/2] setup: make bareRepository=explicit work in GIT_DIR of a secondary worktree Junio C Hamano
2024-03-08 22:30       ` Junio C Hamano [this message]
2024-03-08 23:10       ` Kyle Lippincott
2024-03-08 23:32         ` Junio C Hamano
2024-03-09  0:12           ` Kyle Lippincott
2024-03-09  1:14             ` Junio C Hamano
2024-03-09  3:20       ` Kyle Meyer
2024-03-09  5:53         ` Junio C Hamano
2024-03-09 23:27     ` [PATCH v2] setup: notice more types of implicit bare repositories Junio C Hamano
2024-03-11 19:23       ` Kyle Lippincott
2024-03-11 21:02         ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqqil1wfjbg.fsf@gitster.g \
    --to=gitster@pobox$(echo .)com \
    --cc=git@vger$(echo .)kernel.org \
    --cc=spectral@google$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox