From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Cc: Kyle Lippincott <spectral@google.com>
Subject: Re: [PATCH 2/2] setup: make bareRepository=explicit work in GIT_DIR of a secondary worktree
Date: Fri, 08 Mar 2024 14:30:11 -0800 [thread overview]
Message-ID: <xmqqil1wfjbg.fsf@gitster.g> (raw)
In-Reply-To: <20240308211957.3758770-3-gitster@pobox.com> (Junio C. Hamano's message of "Fri, 8 Mar 2024 13:19:57 -0800")
Junio C Hamano <gitster@pobox.com> writes:
> In the previous commit, we created a helper function to house the
> logic that checks if a directory that looks like a bare repository
> is actually a part of a non-bare repository. Extend the helper
> function to also check if the apparent bare-repository is a $GIT_DIR
> of a secondary worktree, by checking three things:
>
> * The path to the $GIT_DIR must be a subdirectory of
> ".git/worktrees/", which is the primary worktree [*].
>
> * Such $GIT_DIR must have file "gitdir", that records the path of
> the ".git" file that is at the root level of the secondary
> worktree.
>
> * That ".git" file in turn points back at the $GIT_DIR we are
> inspecting.
>
> The latter two points are merely for checking sanity. The security
> lies in the first requirement.
>
> Remember that a tree object with an entry whose pathname component
> is ".git" is forbidden at various levels (fsck, object transfer and
> checkout), so malicious projects cannot cause users to clone and
> checkout a crafted ".git" directory in a shell directory that
> pretends to be a working tree with that ".git" thing at its root
> level. That is where 45bb9162 (setup: allow cwd=.git w/
> bareRepository=explicit, 2024-01-20) draws its security guarantee
> from. And the solution for secondary worktrees in this commit draws
> its security guarantee from the same place.
I wrote the "[*]" mark but forgot to add a footnote with an
additional information for it. Something like this was what I had
in mind to write there:
[Footnote]
* This does not help folks who create a new worktree out of a bare
repository, because in their set-up, there won't be "/.git/" in
front of "worktrees" directory. It is fundamentally impossible
to lift this limitation, as long as safe.bareRepository is
considered to be a meaningful security measure. The security of
both the loosening for a secondary worktree's GIT_DIR as well as
the loosening for the GIT_DIR of the primary worktree, hinge on
the fact that ".git/" directory is impossible to create as
payload to be cloned.
next prev parent reply other threads:[~2024-03-08 22:30 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-20 0:08 [PATCH] setup: allow cwd=.git w/ bareRepository=explicit Kyle Lippincott via GitGitGadget
2024-01-20 22:26 ` Junio C Hamano
2024-01-22 20:50 ` Kyle Lippincott
2024-03-06 17:27 ` Junio C Hamano
2024-03-08 21:19 ` [PATCH 0/2] Loosening safe.bareRepository=explicit even further Junio C Hamano
2024-03-08 21:19 ` [PATCH 1/2] setup: detect to be in $GIT_DIR with a new helper Junio C Hamano
2024-03-08 21:19 ` [PATCH 2/2] setup: make bareRepository=explicit work in GIT_DIR of a secondary worktree Junio C Hamano
2024-03-08 22:30 ` Junio C Hamano [this message]
2024-03-08 23:10 ` Kyle Lippincott
2024-03-08 23:32 ` Junio C Hamano
2024-03-09 0:12 ` Kyle Lippincott
2024-03-09 1:14 ` Junio C Hamano
2024-03-09 3:20 ` Kyle Meyer
2024-03-09 5:53 ` Junio C Hamano
2024-03-09 23:27 ` [PATCH v2] setup: notice more types of implicit bare repositories Junio C Hamano
2024-03-11 19:23 ` Kyle Lippincott
2024-03-11 21:02 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqil1wfjbg.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=spectral@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.