public inbox for git@vger.kernel.org
 help / color / mirror / Atom feed
From: Tian Yuchen <a3205153416@gmail.com>
To: git@vger.kernel.org
Cc: gitster@pobox.com
Subject: [PATCH v4] setup: allow cwd/.git to be a symlink to a directory
Date: Tue, 17 Feb 2026 16:41:24 +0800	[thread overview]
Message-ID: <20260217084124.150366-1-a3205153416@gmail.com> (raw)
In-Reply-To: <5b29218a-8d18-41f0-8a03-eac707151945@gmail.com>

Strictly enforcing 'lstat()' and 'S_ISREG()' on '.git' prevents valid
workflows where '.git' is a symbolic link pointing to a real git
directory (e.g. created via 'ln -s').

Refactor 'setup_git_directory_gently_1()' to use 'stat()' instead of
'lstat()'. This allows the filesystem to automatically resolve symbolic
links.

To ensure safety and correctness, the logic flow is updated to:

1. Ignore 'ENOENT' (file missing).
2. Check 'IS_A_DIR' cases via 'is_git_directory()'.
3. Explicitly reject 'NOT_A_FILE' cases (FIFOs or sockets).

Add a new test script t/t0009-setup-security.sh which verifies:

- Valid .git symlinks to real directories are accepted.
- .git as a named pipe (FIFO) is rejected.
- .git as a symlink to a named pipe is rejected.
- .git with garbage content is rejected.
- Empty .git directories are ignored.

Signed-off-by: Tian Yuchen <a3205153416@gmail.com>
---
 setup.c                   | 39 ++++++++++++++-------
 setup.h                   |  2 ++
 t/t0009-setup-security.sh | 72 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 12 deletions(-)
 create mode 100755 t/t0009-setup-security.sh

diff --git a/setup.c b/setup.c
index 3a6a048620..269aa9faaa 100644
--- a/setup.c
+++ b/setup.c
@@ -939,8 +939,14 @@ const char *read_gitfile_gently(const char *path, int *return_error_code)
 	static struct strbuf realpath = STRBUF_INIT;
 
 	if (stat(path, &st)) {
-		/* NEEDSWORK: discern between ENOENT vs other errors */
-		error_code = READ_GITFILE_ERR_STAT_FAILED;
+		if (errno == ENOENT)
+			error_code = READ_GITFILE_ERR_STAT_ENOENT;
+		else
+			error_code = READ_GITFILE_ERR_STAT_FAILED;
+		goto cleanup_return;
+	}
+	if (S_ISDIR(st.st_mode)) {
+		error_code = READ_GITFILE_ERR_IS_A_DIR;
 		goto cleanup_return;
 	}
 	if (!S_ISREG(st.st_mode)) {
@@ -994,7 +1000,9 @@ const char *read_gitfile_gently(const char *path, int *return_error_code)
 cleanup_return:
 	if (return_error_code)
 		*return_error_code = error_code;
-	else if (error_code)
+	else if (error_code &&
+		error_code != READ_GITFILE_ERR_STAT_ENOENT &&
+		error_code != READ_GITFILE_ERR_IS_A_DIR)
 		read_gitfile_error_die(error_code, path, dir);
 
 	free(buf);
@@ -1576,20 +1584,27 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir,
 		if (offset > min_offset)
 			strbuf_addch(dir, '/');
 		strbuf_addstr(dir, DEFAULT_GIT_DIR_ENVIRONMENT);
-		gitdirenv = read_gitfile_gently(dir->buf, die_on_error ?
-						NULL : &error_code);
+		gitdirenv = read_gitfile_gently(dir->buf, &error_code);
 		if (!gitdirenv) {
-			if (die_on_error ||
-			    error_code == READ_GITFILE_ERR_NOT_A_FILE) {
-				/* NEEDSWORK: fail if .git is not file nor dir */
+			if (error_code == READ_GITFILE_ERR_STAT_ENOENT) {
+				;
+			} else if (error_code == READ_GITFILE_ERR_IS_A_DIR) {
 				if (is_git_directory(dir->buf)) {
 					gitdirenv = DEFAULT_GIT_DIR_ENVIRONMENT;
 					gitdir_path = xstrdup(dir->buf);
 				}
-			} else if (error_code != READ_GITFILE_ERR_STAT_FAILED)
-				return GIT_DIR_INVALID_GITFILE;
-		} else
-			gitfile = xstrdup(dir->buf);
+			} else if (error_code == READ_GITFILE_ERR_NOT_A_FILE) {
+				if (die_on_error)
+					die(_("Invalid %s: not a regular file or directory"), dir->buf);
+				else
+					return GIT_DIR_INVALID_GITFILE;
+			} else if (error_code != READ_GITFILE_ERR_STAT_FAILED) {
+				if (die_on_error)
+					read_gitfile_error_die(error_code, dir->buf, NULL);
+				else
+					return GIT_DIR_INVALID_GITFILE;
+			}
+		}
 		/*
 		 * Earlier, we tentatively added DEFAULT_GIT_DIR_ENVIRONMENT
 		 * to check that directory for a repository.
diff --git a/setup.h b/setup.h
index d55dcc6608..c23629cb4f 100644
--- a/setup.h
+++ b/setup.h
@@ -36,6 +36,8 @@ int is_nonbare_repository_dir(struct strbuf *path);
 #define READ_GITFILE_ERR_NO_PATH 6
 #define READ_GITFILE_ERR_NOT_A_REPO 7
 #define READ_GITFILE_ERR_TOO_LARGE 8
+#define READ_GITFILE_ERR_STAT_ENOENT 9
+#define READ_GITFILE_ERR_IS_A_DIR 10
 void read_gitfile_error_die(int error_code, const char *path, const char *dir);
 const char *read_gitfile_gently(const char *path, int *return_error_code);
 #define read_gitfile(path) read_gitfile_gently((path), NULL)
diff --git a/t/t0009-setup-security.sh b/t/t0009-setup-security.sh
new file mode 100755
index 0000000000..72c5232147
--- /dev/null
+++ b/t/t0009-setup-security.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+test_description='setup: validation of .git file/directory types
+
+Verify that setup_git_directory() correctly handles:
+1. Valid .git directories (including symlinks to them).
+2. Invalid .git files (FIFOs, sockets) by erroring out.
+3. Invalid .git files (garbage) by erroring out.
+'
+
+. ./test-lib.sh
+
+test_expect_success 'setup: create parent git repository' '
+	git init parent &&
+	test_commit -C parent "root-commit"
+'
+
+test_expect_success SYMLINKS 'setup: .git as a symlink to a directory is valid' '
+	mkdir -p parent/link-to-dir &&
+	(
+		cd parent/link-to-dir &&
+		git init real-repo &&
+		ln -s real-repo/.git .git &&
+		git rev-parse --git-dir >actual &&
+		echo .git >expect &&
+		test_cmp expect actual
+	)
+'
+
+test_expect_success PIPE 'setup: .git as a FIFO (named pipe) is rejected' '
+	mkdir -p parent/fifo &&
+	(
+		cd parent/fifo &&
+		mkfifo .git &&
+		test_must_fail git rev-parse --git-dir 2>stderr &&
+		grep "not a regular file" stderr
+	)
+'
+
+test_expect_success SYMLINKS,PIPE 'setup: .git as a symlink to a FIFO is rejected' '
+	mkdir -p parent/symlink-fifo &&
+	(
+		cd parent/symlink-fifo &&
+		mkfifo target-fifo &&
+		ln -s target-fifo .git &&
+		test_must_fail git rev-parse --git-dir 2>stderr &&
+		grep "not a regular file" stderr
+	)
+'
+
+test_expect_success 'setup: .git with garbage content is rejected' '
+	mkdir -p parent/garbage &&
+	(
+		cd parent/garbage &&
+		echo "garbage" >.git &&
+		test_must_fail git rev-parse --git-dir 2>stderr &&
+		grep "invalid gitfile format" stderr
+	)
+'
+
+test_expect_success 'setup: .git as an empty directory is ignored' '
+	mkdir -p parent/empty-dir &&
+	(
+		cd parent/empty-dir &&
+		mkdir .git &&
+		git rev-parse --git-dir >actual &&
+		echo "$TRASH_DIRECTORY/parent/.git" >expect &&
+		test_cmp expect actual
+	)
+'
+
+test_done
-- 
2.43.0


  reply	other threads:[~2026-02-17  8:41 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-11 18:21 [RFC] setup: fail if .git is not a file or directory Tian Yuchen
2026-02-11 19:47 ` Junio C Hamano
2026-02-12 17:33   ` Tian Yuchen
2026-02-12 17:24 ` [PATCH v2] " Tian Yuchen
2026-02-12 20:59   ` Junio C Hamano
2026-02-13 16:37     ` Tian Yuchen
2026-02-14  4:52   ` [PATCH v3] " Tian Yuchen
2026-02-15  8:41     ` Junio C Hamano
2026-02-15 16:22       ` Tian Yuchen
2026-02-16  2:37         ` Junio C Hamano
2026-02-16 16:02           ` Tian Yuchen
2026-02-17  8:41             ` Tian Yuchen [this message]
2026-02-17 11:26               ` [PATCH v4] setup: allow cwd/.git to be a symlink to a directory Karthik Nayak
2026-02-17 15:30                 ` Tian Yuchen
2026-02-17 18:56                   ` Karthik Nayak
2026-02-17 21:10                     ` Junio C Hamano
2026-02-17 17:01                 ` Junio C Hamano
2026-02-17 18:50                   ` Karthik Nayak
2026-02-18  4:08                     ` Tian Yuchen
2026-02-17 17:59               ` Karthik Nayak
2026-02-18  5:18               ` [PATCH v5 0/2] setup.c: v5 reroll Tian Yuchen
2026-02-18  5:18                 ` [PATCH v5 1/2] setup: distingush ENOENT from other stat errors Tian Yuchen
2026-02-18 10:12                   ` Karthik Nayak
2026-02-18 11:11                     ` Tian Yuchen
2026-02-18 18:15                   ` Junio C Hamano
2026-02-18 18:43                     ` Junio C Hamano
2026-02-18  5:18                 ` [PATCH v5 2/2] setup: allow cwd/.git to be a symlink to a directory Tian Yuchen
2026-02-18 10:27                   ` Karthik Nayak
2026-02-18 11:20                     ` Tian Yuchen
2026-02-18 18:25                   ` Junio C Hamano
2026-02-19  5:11                     ` Tian Yuchen
2026-02-15 17:08       ` [PATCH v3] setup: fail if .git is not a file or directory Tian Yuchen
2026-02-12 22:39 ` [RFC] " brian m. carlson
2026-02-12 22:45   ` Junio C Hamano
2026-02-12 23:03     ` brian m. carlson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260217084124.150366-1-a3205153416@gmail.com \
    --to=a3205153416@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox