Updates to the safe.directory config option

[derrickstolee]

Here is a very fast response to the security release yesterday.

The second patch here is an adaptation from a contributor who created a pull request against git/git [1]. I augmented the patch with a test (the test infrastructure is added in patch 1).

The third patch is a change to the safe.directory config option to include a possible "*" value to completely opt-out of the check. This will be particularly helpful for cases where users run Git commands within a container. This container workflow always runs as a different user than the host, but also the container does not have access to the host's system or global config files. It's also helpful for users who don't want to set the config for a large number of shared repositories [2].

Thanks,
-Stolee

[1] git#1235
[2] git-for-windows#3787
[3] desktop/desktop#14336

cc: [email protected]
cc: [email protected]
cc: [email protected]
cc: Ævar Arnfjörð Bjarmason [email protected]
cc: SZEDER Gábor [email protected]
cc: Carlo Marcelo Arenas Belón [email protected]
cc: Eric Sunshine [email protected]

[derrickstolee]

/submit

[gitgitgadget]

Submitted as [email protected]

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1215/derrickstolee/safe-directories-star-v1

To fetch this version to local tag pr-1215/derrickstolee/safe-directories-star-v1:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1215/derrickstolee/safe-directories-star-v1

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

"Derrick Stolee via GitGitGadget" <[email protected]> writes:

> Here is a very fast response to the security release yesterday.

Wow.  While I were down the whole day yesterday after sending the
release announcement, it seems a lot have happened X-<.  Does your
"a very fast" expect only "wow, thanks for a fast reponse", or does
it also expect "ok, we'll take a deep look with a spoonful of salt
as it was prepared in haste"?

> The second patch here is an adaptation from a contributor who created a pull
> request against git/git [1]. I augmented the patch with a test (the test
> infrastructure is added in patch 1).
>
> The third patch is a change to the safe.directory config option to include a
> possible "*" value to completely opt-out of the check. This will be
> particularly helpful for cases where users run Git commands within a
> container. This container workflow always runs as a different user than the
> host, but also the container does not have access to the host's system or
> global config files. It's also helpful for users who don't want to set the
> config for a large number of shared repositories [2].

Let me take a look how well these integrate into the maintenance
tracks.

I would appreciate something that is targetted and narrow that can
be applied to the oldest maintenance track (2.30.3) and then merged
upwards, plus niceties on top that does not necessarily have to
apply to the oldest ones if the surrounding code or tests were
changed more recently.

Thanks.

> Thanks, -Stolee
>
> [1] https://github.com/git/git/pull/1235 [2]
> https://github.com/git-for-windows/git/issues/3787 [3]
> https://github.com/desktop/desktop/issues/14336
>
> Derrick Stolee (2):
>   t0033: add tests for safe.directory
>   setup: opt-out of check with safe.directory=*
>
> Matheus Valadares (1):
>   setup: fix safe.directory key not being checked
>
>  Documentation/config/safe.txt |  7 +++++
>  setup.c                       | 12 ++++++---
>  t/t0033-safe-directory.sh     | 49 +++++++++++++++++++++++++++++++++++
>  3 files changed, 65 insertions(+), 3 deletions(-)
>  create mode 100755 t/t0033-safe-directory.sh
>
>
> base-commit: 11cfe552610386954886543f5de87dcc49ad5735
> Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1215%2Fderrickstolee%2Fsafe-directories-star-v1
> Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1215/derrickstolee/safe-directories-star-v1
> Pull-Request: https://github.com/gitgitgadget/git/pull/1215

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

"Derrick Stolee via GitGitGadget" <[email protected]> writes:

> From: Derrick Stolee <[email protected]>
>
> It is difficult to change the ownership on a directory in our test
> suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment
> variable to trick Git into thinking we are in a differently-owned
> directory. This allows us to test that the config is parsed correctly.

OK.

> -	if (is_path_owned_by_current_user(path))
> +	if (is_path_owned_by_current_user(path) &&
> +	    !git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0))
>  		return 1;

Shouldn't the overriding "GIT_TEST_BLAH" be checked before the
real logic kicks in, I wonder?

> diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
> new file mode 100755
> index 00000000000..9380ff3d017
> --- /dev/null
> +++ b/t/t0033-safe-directory.sh
> @@ -0,0 +1,34 @@
> +#!/bin/sh
> +
> +test_description='verify safe.directory checks'
> +
> +. ./test-lib.sh
> +
> +GIT_TEST_ASSUME_DIFFERENT_OWNER=1
> +export GIT_TEST_ASSUME_DIFFERENT_OWNER
> +
> +expect_rejected_dir () {
> +	test_must_fail git status 2>err &&
> +	grep "safe.directory" err
> +}
> +...
> +test_expect_success 'safe.directory matches' '
> +	git config --global --add safe.directory "$(pwd)" &&
> +	git status
> +'

Just double checking, as I know you are much closer to the affected
platform than I'd ever be ;-) but is the use of $(pwd) safe and
correct here?

I always get confused between $(pwd) and $PWD, which does not make
any difference on platforms I have access to, but makes difference
to hurt Windows users.

> +test_expect_success 'safe.directory matches, but is reset' '
> +	git config --global --add safe.directory "" &&
> +	expect_rejected_dir
> +'
> +
> +test_done

Thanks.  This step should apply to maint-2.30 cleanly, I would
think.

[gitgitgadget]

On the Git mailing list, Derrick Stolee wrote (reply to this):

On 4/13/2022 12:24 PM, Junio C Hamano wrote:
> "Derrick Stolee via GitGitGadget" <[email protected]> writes:
> 
>> From: Derrick Stolee <[email protected]>
>>
>> It is difficult to change the ownership on a directory in our test
>> suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment
>> variable to trick Git into thinking we are in a differently-owned
>> directory. This allows us to test that the config is parsed correctly.
> 
> OK.
> 
>> -	if (is_path_owned_by_current_user(path))
>> +	if (is_path_owned_by_current_user(path) &&
>> +	    !git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0))
>>  		return 1;
> 
> Shouldn't the overriding "GIT_TEST_BLAH" be checked before the
> real logic kicks in, I wonder?

Either order would work. I bet that checking the environment is
faster than checking the disk, so swapping the order would be prudent
here.
 
>> diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
>> new file mode 100755
>> index 00000000000..9380ff3d017
>> --- /dev/null
>> +++ b/t/t0033-safe-directory.sh
>> @@ -0,0 +1,34 @@
>> +#!/bin/sh
>> +
>> +test_description='verify safe.directory checks'
>> +
>> +. ./test-lib.sh
>> +
>> +GIT_TEST_ASSUME_DIFFERENT_OWNER=1
>> +export GIT_TEST_ASSUME_DIFFERENT_OWNER
>> +
>> +expect_rejected_dir () {
>> +	test_must_fail git status 2>err &&
>> +	grep "safe.directory" err
>> +}
>> +...
>> +test_expect_success 'safe.directory matches' '
>> +	git config --global --add safe.directory "$(pwd)" &&
>> +	git status
>> +'
> 
> Just double checking, as I know you are much closer to the affected
> platform than I'd ever be ;-) but is the use of $(pwd) safe and
> correct here?
> 
> I always get confused between $(pwd) and $PWD, which does not make
> any difference on platforms I have access to, but makes difference
> to hurt Windows users.

These tests pass CI on Windows. I've had issues before using $PWD,
thinking back to tests in t7900-maintenance.sh that use $(pwd)
instead.

Thanks,
-Stolee

[gitgitgadget]

On the Git mailing list, Derrick Stolee wrote (reply to this):

On 4/13/2022 12:15 PM, Junio C Hamano wrote:
> "Derrick Stolee via GitGitGadget" <[email protected]> writes:
> 
>> Here is a very fast response to the security release yesterday.
> 
> Wow.  While I were down the whole day yesterday after sending the
> release announcement, it seems a lot have happened X-<.  Does your
> "a very fast" expect only "wow, thanks for a fast reponse", or does
> it also expect "ok, we'll take a deep look with a spoonful of salt
> as it was prepared in haste"?

I tried to do my due diligence here, but I will admit to some amount
of haste being applied due to the many distinct sources that have
motivated the change.

>> The second patch here is an adaptation from a contributor who created a pull
>> request against git/git [1]. I augmented the patch with a test (the test
>> infrastructure is added in patch 1).
>>
>> The third patch is a change to the safe.directory config option to include a
>> possible "*" value to completely opt-out of the check. This will be
>> particularly helpful for cases where users run Git commands within a
>> container. This container workflow always runs as a different user than the
>> host, but also the container does not have access to the host's system or
>> global config files. It's also helpful for users who don't want to set the
>> config for a large number of shared repositories [2].
> 
> Let me take a look how well these integrate into the maintenance
> tracks.
> 
> I would appreciate something that is targetted and narrow that can
> be applied to the oldest maintenance track (2.30.3) and then merged
> upwards, plus niceties on top that does not necessarily have to
> apply to the oldest ones if the surrounding code or tests were
> changed more recently.

The tests that are added are in a new test file, so hopefully
those don't collide with anything.

The changes in setup.c apply within the ensure_valid_ownership()
so should apply to any versions that have the fix.

Thanks,
-Stolee

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

"Matheus Valadares via GitGitGadget" <[email protected]>
writes:

> From: Matheus Valadares <[email protected]>
>
> It seems that nothing is ever checking to make sure the safe directories
> in the configs actually have the key safe.directory, so some unrelated
> config that has a value with a certain directory would also make it a
> safe directory.

Good finding, and the fix is straight-forward and obviously correct.
Thanks.

> Signed-off-by: Matheus Valadares <[email protected]>
> Signed-off-by: Derrick Stolee <[email protected]>
> ---
>  setup.c                   | 3 +++
>  t/t0033-safe-directory.sh | 5 +++++
>  2 files changed, 8 insertions(+)

> diff --git a/setup.c b/setup.c
> index f54f449008a..a995c359c32 100644
> --- a/setup.c
> +++ b/setup.c
> @@ -1100,6 +1100,9 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
>  {
>  	struct safe_directory_data *data = d;
>  
> +	if (strcmp(key, "safe.directory"))
> +		return 0;
> +
>  	if (!value || !*value)
>  		data->is_safe = 0;
>  	else {
> diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
> index 9380ff3d017..6f33c0dfefa 100755
> --- a/t/t0033-safe-directory.sh
> +++ b/t/t0033-safe-directory.sh
> @@ -21,6 +21,11 @@ test_expect_success 'safe.directory does not match' '
>  	expect_rejected_dir
>  '
>  
> +test_expect_success 'path exist as different key' '
> +	git config --global foo.bar "$(pwd)" &&
> +	expect_rejected_dir
> +'
> +
>  test_expect_success 'safe.directory matches' '
>  	git config --global --add safe.directory "$(pwd)" &&
>  	git status

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

"Derrick Stolee via GitGitGadget" <[email protected]> writes:

> To simplify the reactions necessary for these users, extend the
> definition of the safe.directory config value to include a possible '*'
> value. This value implies that all directories are safe, providing a
> single setting to opt-out of this protection.

OK.  During the development of the original fix, we discussed if a
more flexible mechanism, like allowing globs, but ended up with the
simplest and easiest to explain option, with the expectation that we
may want to loosen it later as necessary.  And this is certainly
what we would have expected to add.

> Note that an empty assignment of safe.directory clears all previous
> values, and this is already the case with the "if (!value || !*value)"
> condition.

OK.

>  	if (strcmp(key, "safe.directory"))
>  		return 0;
>  
> -	if (!value || !*value)
> +	if (!value || !*value) {
>  		data->is_safe = 0;
> -	else {
> +	} else if (!strcmp(value, "*")) {
> +		data->is_safe = 1;
> +	} else {
>  		const char *interpolated = NULL;
>  
>  		if (!git_config_pathname(&interpolated, key, value) &&
> diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh

OK.

> index 6f33c0dfefa..239d93f4d21 100755
> --- a/t/t0033-safe-directory.sh
> +++ b/t/t0033-safe-directory.sh
> @@ -36,4 +36,14 @@ test_expect_success 'safe.directory matches, but is reset' '
>  	expect_rejected_dir
>  '
>  
> +test_expect_success 'safe.directory=*' '
> +	git config --global --add safe.directory "*" &&
> +	git status
> +'
> +
> +test_expect_success 'safe.directory=*, but is reset' '
> +	git config --global --add safe.directory "" &&
> +	expect_rejected_dir
> +'

Thanks.

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Derrick Stolee <[email protected]> writes:

> I tried to do my due diligence here, but I will admit to some amount
> of haste being applied due to the many distinct sources that have
> motivated the change.

OK.  Thanks for a fast response to a brown-paper-bag bug or two.

> The tests that are added are in a new test file, so hopefully
> those don't collide with anything.
>
> The changes in setup.c apply within the ensure_valid_ownership()
> so should apply to any versions that have the fix.

Yup, I was more worried about newer test helpers and API functions
that did not exist in the older code base, but after reading the
patches through, I think these are all from battle tested and solid
part that applies to all relevant maintenance tracks.

Thanks.

[gitgitgadget]

On the Git mailing list, Ævar Arnfjörð Bjarmason wrote (reply to this):

On Wed, Apr 13 2022, Derrick Stolee via GitGitGadget wrote:

> From: Derrick Stolee <[email protected]>
>
> It is difficult to change the ownership on a directory in our test
> suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment
> variable to trick Git into thinking we are in a differently-owned
> directory. This allows us to test that the config is parsed correctly.

I think this is a good trade-off, but FWIW I'd think we could test also
without the git_env_bool() by having the test depend on !NOT_ROOT, then
check the owner of t/test-lib.sh, and chown to that user (i.e. the
"real" user).

But that's all sorts of more fragile than just this test variable..
> +test_description='verify safe.directory checks'
> +
> +. ./test-lib.sh
> +
> +GIT_TEST_ASSUME_DIFFERENT_OWNER=1
> +export GIT_TEST_ASSUME_DIFFERENT_OWNER

Instead of this "export" perhaps just add it in front of the "git
status"?

These tests also pass with SANITIZE=leak, so please add
TEST_PASSES_SANITIZE_LEAK=true at the top.

> +expect_rejected_dir () {
> +	test_must_fail git status 2>err &&
> +	grep "safe.directory" err
> +}
> +
> +test_expect_success 'safe.directory is not set' '
> +	expect_rejected_dir
> +'
> +
> +test_expect_success 'safe.directory does not match' '
> +	git config --global safe.directory bogus &&
> +	expect_rejected_dir
> +'
> +
> +test_expect_success 'safe.directory matches' '
> +	git config --global --add safe.directory "$(pwd)" &&

nit: $PWD instead of $(pwd)

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Ævar Arnfjörð Bjarmason <[email protected]> writes:

(just this part)

> These tests also pass with SANITIZE=leak, so please add
> TEST_PASSES_SANITIZE_LEAK=true at the top.

Derrick, please ignore the above.  It is totally outside the scope
of these patches, and they are meant to be applied on top of the
2.30 maintenance track, where TEST_PASSES_SANITIZE_LEAK=true was
irrelevant.

I do not mind adding such after the dust settles on top of 'master'
(or possibly 'maint'), but not as part of these "let's fix the screw
up in 2.30.3 and its friends" effort.

Thanks.

[gitgitgadget]

On the Git mailing list, Derrick Stolee wrote (reply to this):

On 4/13/2022 3:16 PM, Ævar Arnfjörð Bjarmason wrote:
> 
> On Wed, Apr 13 2022, Derrick Stolee via GitGitGadget wrote:
> 
>> From: Derrick Stolee <[email protected]>
>>
>> It is difficult to change the ownership on a directory in our test
>> suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment
>> variable to trick Git into thinking we are in a differently-owned
>> directory. This allows us to test that the config is parsed correctly.
> 
> I think this is a good trade-off, but FWIW I'd think we could test also
> without the git_env_bool() by having the test depend on !NOT_ROOT, then
> check the owner of t/test-lib.sh, and chown to that user (i.e. the
> "real" user).
> 
> But that's all sorts of more fragile than just this test variable..
>> +test_description='verify safe.directory checks'
>> +
>> +. ./test-lib.sh
>> +
>> +GIT_TEST_ASSUME_DIFFERENT_OWNER=1
>> +export GIT_TEST_ASSUME_DIFFERENT_OWNER
> 
> Instead of this "export" perhaps just add it in front of the "git
> status"?

If the only runs were in this helper below, then yes.

>> +expect_rejected_dir () {
>> +	test_must_fail git status 2>err &&
>> +	grep "safe.directory" err
>> +}

Later patches add more success cases that run 'git status'
as its verification that the match works. I didn't think it
was good to have this environment variable set for each of
those invocations.

This script has one purpose, and this environment variable
is required to make any of the checks work. Setting it
globally seems the best way to do that.

>> +test_expect_success 'safe.directory matches' '
>> +	git config --global --add safe.directory "$(pwd)" &&
> 
> nit: $PWD instead of $(pwd)

Historically, $PWD doesn't work properly across platforms,
so I have used $(pwd) consistently across many contributions.

Thanks,
-Stolee

[gitgitgadget]

User Ævar Arnfjörð Bjarmason <[email protected]> has been added to the cc: list.

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Junio C Hamano <[email protected]> writes:

> Derrick Stolee <[email protected]> writes:
>
>> I tried to do my due diligence here, but I will admit to some amount
>> of haste being applied due to the many distinct sources that have
>> motivated the change.
>
> OK.  Thanks for a fast response to a brown-paper-bag bug or two.

Here is a draft release notes to 2.30.4.txt; I may tag this later
tonight (i.e. in 4 hours or so) or perhaps tomorrow morning, together
with the result of merging the fixes into newer maintenance releases.

Thanks, everybody, for working on the issue.


Git v2.30.4 Release Notes (draft)
=================================

This release contains minor fix-ups for the changes that went into
Git 2.30.3, which was made to address CVE-2022-24765.

 * The code that was meant to parse the new `safe.directory`
   configuration variable was not checking what configuration
   variable was being fed to it, which has been corrected.

 * '*' can be used as the value for the `safe.directory` variable to
   signal that the user considers that any directory is safe.


Derrick Stolee (2):
      t0033: add tests for safe.directory
      setup: opt-out of check with safe.directory=*

Matheus Valadares (1):
      setup: fix safe.directory key not being checked

[gitgitgadget]

On the Git mailing list, Taylor Blau wrote (reply to this):

On Wed, Apr 13, 2022 at 01:27:05PM -0700, Junio C Hamano wrote:
> Junio C Hamano <[email protected]> writes:
>
> > Derrick Stolee <[email protected]> writes:
> >
> >> I tried to do my due diligence here, but I will admit to some amount
> >> of haste being applied due to the many distinct sources that have
> >> motivated the change.
> >
> > OK.  Thanks for a fast response to a brown-paper-bag bug or two.
>
> Here is a draft release notes to 2.30.4.txt; I may tag this later
> tonight (i.e. in 4 hours or so) or perhaps tomorrow morning, together
> with the result of merging the fixes into newer maintenance releases.
>
> Thanks, everybody, for working on the issue.

Thanks; this all looks good to me. I took a careful look at Stolee's new
patches as well as the (elided) release notes from you below, and both
look good to me.

Don't worry about applying my Reviewed-by, but I did want to acknowledge
having looked at these.

Thanks,
Taylor

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Taylor Blau <[email protected]> writes:

> On Wed, Apr 13, 2022 at 01:27:05PM -0700, Junio C Hamano wrote:
>> Junio C Hamano <[email protected]> writes:
>>
>> > Derrick Stolee <[email protected]> writes:
>> >
>> >> I tried to do my due diligence here, but I will admit to some amount
>> >> of haste being applied due to the many distinct sources that have
>> >> motivated the change.
>> >
>> > OK.  Thanks for a fast response to a brown-paper-bag bug or two.
>>
>> Here is a draft release notes to 2.30.4.txt; I may tag this later
>> tonight (i.e. in 4 hours or so) or perhaps tomorrow morning, together
>> with the result of merging the fixes into newer maintenance releases.
>>
>> Thanks, everybody, for working on the issue.
>
> Thanks; this all looks good to me. I took a careful look at Stolee's new
> patches as well as the (elided) release notes from you below, and both
> look good to me.
>
> Don't worry about applying my Reviewed-by, but I did want to acknowledge
> having looked at these.

Thanks for giving an extra set of eyes.

[gitgitgadget]

This patch series was integrated into maint via git@d516b2d.

[gitgitgadget]

This patch series was integrated into seen via git@1ac7422.

[gitgitgadget]

This patch series was integrated into master via git@1ac7422.

[gitgitgadget]

This patch series was integrated into next via git@5071ed8.