Storing private config files in .git directory?

Storing private config files in .git directory?

[Stefan Haller]

Our git client (lazygit) has a need to store per-repo config files that
override the global one, much like git itself. The easiest way to do
that is to store those in a .git/lazygit.cfg file, and I'm wondering if
there's any reason why this is a bad idea?

Another alternative would be to store the config values in .git/config
(that's the path taken by git gui, for example), but since our config
file format is yaml, this would require translation. It would be trivial
for scalar values such as int or string, but I'm not sure how well this
would work for more complex settings like lists of objects.

Any thoughts?

Re: Storing private config files in .git directory?

[Junio C Hamano]

Stefan Haller <lists@haller-berlin.de> writes:

> Our git client (lazygit) has a need to store per-repo config files that
> override the global one, much like git itself. The easiest way to do
> that is to store those in a .git/lazygit.cfg file, and I'm wondering if
> there's any reason why this is a bad idea?

An obvious alternative is to have .lazygit directory next to .git directory
which would give you a bigger separation, which can cut both ways.

Re: Storing private config files in .git directory?

[Jeff King]

On Mon, Jan 08, 2024 at 10:20:00AM -0800, Junio C Hamano wrote:

> Stefan Haller <lists@haller-berlin.de> writes:
> 
> > Our git client (lazygit) has a need to store per-repo config files that
> > override the global one, much like git itself. The easiest way to do
> > that is to store those in a .git/lazygit.cfg file, and I'm wondering if
> > there's any reason why this is a bad idea?
> 
> An obvious alternative is to have .lazygit directory next to .git directory
> which would give you a bigger separation, which can cut both ways.

Just to spell out one of those ways: unlike ".git", we will happily
check out ".lazygit" from an untrusted remote repository. That may be a
feature if you want to be able to share project-specific config, or it
might be a terrible security vulnerability if lazygit config files can
trigger arbitrary code execution.

-Peff

Re: Storing private config files in .git directory?

[Stefan Haller]

On 10.01.24 12:08, Jeff King wrote:
> On Mon, Jan 08, 2024 at 10:20:00AM -0800, Junio C Hamano wrote:
> 
>> An obvious alternative is to have .lazygit directory next to .git directory
>> which would give you a bigger separation, which can cut both ways.
> 
> Just to spell out one of those ways: unlike ".git", we will happily
> check out ".lazygit" from an untrusted remote repository. That may be a
> feature if you want to be able to share project-specific config, or it
> might be a terrible security vulnerability if lazygit config files can
> trigger arbitrary code execution.

Unless you don't version it and add it to .gitignore instead, which (I
suppose) is what most people do with their .vscode/settings.json, for
example.

-Stefan

Re: Storing private config files in .git directory?

[Jeff King]

On Thu, Jan 11, 2024 at 02:28:51PM +0100, Stefan Haller wrote:

> On 10.01.24 12:08, Jeff King wrote:
> > On Mon, Jan 08, 2024 at 10:20:00AM -0800, Junio C Hamano wrote:
> > 
> >> An obvious alternative is to have .lazygit directory next to .git directory
> >> which would give you a bigger separation, which can cut both ways.
> > 
> > Just to spell out one of those ways: unlike ".git", we will happily
> > check out ".lazygit" from an untrusted remote repository. That may be a
> > feature if you want to be able to share project-specific config, or it
> > might be a terrible security vulnerability if lazygit config files can
> > trigger arbitrary code execution.
> 
> Unless you don't version it and add it to .gitignore instead, which (I
> suppose) is what most people do with their .vscode/settings.json, for
> example.

A .gitignore will help with people accidentally adding their .lazygit
directory. What I meant, though, was somebody _intentionally_ creating a
malicious repository that would then execute arbitrary code when the
victim cloned it. We prevent that from happening with .git/config
because there's special handling that refuses to check out the name
".git" (or other filesystem-equivalent names). But ".lazygit" would not
have that same protection.

-Peff

Re: Storing private config files in .git directory?

[Konstantin Ryabitsev]

On Sun, Jan 07, 2024 at 02:03:20PM +0100, Stefan Haller wrote:
> Our git client (lazygit) has a need to store per-repo config files that
> override the global one, much like git itself. The easiest way to do
> that is to store those in a .git/lazygit.cfg file, and I'm wondering if
> there's any reason why this is a bad idea?

I have considered the same question for b4 as well, but I chose to just rely
on git's config file handling instead of any other option. There's a large
number of people who tend to deal with weird repository situations by blowing
away the entire repo and then recloning it. They may remember to back up the
.git/config file, but not really anything else.

So, that would be the only consideration against keeping anything in the .git
directory.

-K

Re: Storing private config files in .git directory?

[Marc Branchaud]

On 2024-01-07 08:03, Stefan Haller wrote:
> Our git client (lazygit) has a need to store per-repo config files that
> override the global one, much like git itself. The easiest way to do
> that is to store those in a .git/lazygit.cfg file, and I'm wondering if
> there's any reason why this is a bad idea?

In a worktree (created by "git worktree"), .git is a file not a directory.

Worktrees are designed to each have their own .git directory, which you 
can find with "git rev-parse --git-dir".  If you just want a single, 
repo-wide config file, not a per-worktree config, you probably want to 
instead use "git rev-parse --git-common-dir" to find the "main" repo's 
.git directory.

The problem of finding a worktree's .git directory goes away if you use 
Git's own config system, though.

> Another alternative would be to store the config values in .git/config
> (that's the path taken by git gui, for example), but since our config
> file format is yaml, this would require translation. It would be trivial
> for scalar values such as int or string, but I'm not sure how well this
> would work for more complex settings like lists of objects.
> 
> Any thoughts?

YAML is a horrid little format (hey, you asked for "thoughts"!), and 
IIRC Git's config file format only supports multi-line values with 
\-escaping and similar patterns, making it nearly impossible to directly 
embed YAML in Git's config file.  Ideally, if you do use Git's own 
config then you really should just drop YAML altogether.

But you have a couple of options without going so far as translating all 
the YAML constructs you use into git-config ones.  For example, you 
could replace all the newlines in a YAML blob with \n to make a 
single-line value that you could store in Git's config file.  That 
complicates hand-editing the YAML though, if that's a use case you care 
about.

But even if you replace all the newlines with \n, in my experience there 
are always corner-case clashes when mixing file syntaxes (e.g. quoted 
strings are often problematic, and maybe some of your YAML values are 
themselves multi-line).  If you want to use Git's own config file but 
stick with YAML, and you really don't care about directly editing the 
YAML, I suggest you encode the entire YAML blob in a robust single-line 
format, like base64, and store/retrieve that using "git config".

You could still support hand-editing the YAML with a command like 
"lazygit editconfig", too.

		M.