From: Taylor Blau <me@ttaylorr.com>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: rsbecker@nexbridge.com, 'Junio C Hamano' <gitster@pobox.com>,
git@vger.kernel.org
Subject: Re: [BUG] fatal: transport 'file' not allowed during submodule add
Date: Fri, 30 Dec 2022 16:08:03 -0500 [thread overview]
Message-ID: <Y69TMzIf/bdsZe6/@nand.local> (raw)
In-Reply-To: <Y6y+zkUsPhknTYH/@google.com>
Hi Jonathan,
On Wed, Dec 28, 2022 at 02:10:42PM -0800, Jonathan Nieder wrote:
> Hi Randall,
>
> rsbecker@nexbridge.com wrote:
> > Junio C Hamano wrote:
>
> >> This suspiciously sounds like what a1d4f67c (transport: make `protocol.file.allow`
> >> be "user" by default, 2022-07-29) is doing deliberately.
> >
> > I have tried using 'git config --local protocol.file.allow always' and/or
> > 'git config --local protocol.allow always' to get past this, without
> > success.
>
> Does `git config --global protocol.file.allow always` do the trick?
>
> >> Taylor, does this look like a
> >> corner case the 2.30.6 updates forgot to consider?
>
> I think it's the intended effect (preventing file:// submodules), but
> I wonder if this hints that we'd want that protection to be more
> targeted. A file:// submodule (as opposed to a bare path without URL
> scheme) wouldn't trigger the "git clone --local" behavior that that
> commit mentions wanting to protect against, so at first glance it
> would appear to be no more or less dangerous than cloning from a
> remote repository.
Changing the default value of 'protocol.file.allow' isn't solely about whether
or not we use the `file://` scheme and transport or not. Instead, it's
about preventing the user from accidentally cloning local repositories
containing sensitive data into the working copy of a malicious
repository.
One example might be that I convince you to clone my malicious
repository, which has a Dockerfile that uploads everything in the
container filesystem to some data harvesting server. Since 'docker run'
automatically puts everything in '.' into the volume mount, anything in
the working copy of my malicious repository will get exfiltrated.
The worry that I wrote about in a1d4f67c was that if I knew that you
stored, say, your SSH private key material in a repository that is at
`$HOME/.git` (as is sometimes common practice), then I could add a
submodule at /home/jrnieder/.git, and extract any sensitive data
therein.
So I think our new default is sensible here if we are concerned with
preventing such a case.
Thanks,
Taylor
next prev parent reply other threads:[~2022-12-30 21:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-27 23:00 [BUG] fatal: transport 'file' not allowed during submodule add rsbecker
2022-12-28 3:34 ` Junio C Hamano
2022-12-28 14:42 ` rsbecker
2022-12-28 22:10 ` Jonathan Nieder
2022-12-28 22:25 ` rsbecker
2022-12-30 21:08 ` Taylor Blau [this message]
2022-12-30 21:48 ` rsbecker
2023-01-03 8:57 ` Jeff King
2022-12-30 21:04 ` Taylor Blau
2022-12-30 21:43 ` rsbecker
2022-12-30 23:16 ` rsbecker
2022-12-30 20:15 ` rsbecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y69TMzIf/bdsZe6/@nand.local \
--to=me@ttaylorr.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=rsbecker@nexbridge.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).