Enforce safe directory #762

thboop · 2022-04-13T16:36:03Z

This pr fixes #760 by setting the repositories path as a safe directory when running checkout and removing that config on cleanup.

We aren't able to set it as a local config, as this setting only works for global configs.

So, using the standard we used for submodules, lets go ahead and copy the existing global config to a new location. Then we can go ahead and modify that global config (so we don't modify like a users global config if they test something on a self hosted runner real fast). Then, we can delete that global config at the end of the checkout step.

This does carry some limitations, it doesn't persist this configuration for the duration of the job mainly. So if your job pushes to git or something after checkout, that will continue to fail. We need to figure out how to address this at an ecosystem level, outside of the checkout action.

src/git-source-provider.ts

src/git-command-manager.ts

src/git-source-provider.ts

thboop · 2022-04-13T20:02:18Z

__test__/git-auth-helper.test.ts

    // Arrange
-    await setup(removeGlobalAuth_removesOverride)


Renamed this function, changes are a result of that

src/git-source-provider.ts

src/git-auth-helper.ts

src/git-source-provider.ts

cbalioglu · 2022-04-13T22:25:16Z

@thboop thanks a lot for taking quick action! Do you have an ETA on when you plan to land this fix?

src/git-auth-helper.ts

src/git-source-provider.ts

src/git-auth-helper.ts

Git recently made some updates[0][1] fixing a CVE. This has unfortunately caused the build on Alpine to fail with the following gcc -MT .objs/curler.o -MMD -MP -MF .d/curler.o.Td -Werror -Wall -Wextra -Wdeclaration-after-statement -Wvla -Wmissing-prototypes -Wstrict-prototypes -Wold-style-definition -std=gnu99 -g -O2 -Wp,-D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -fno-common -fstack-protector -fPIC -fexceptions -fvisibility=hidden -I../include/libmtdac -DLIBNAME=\"libmtdac\" -DGIT_VERSION=\"\" -pipe -c -o .objs/curler.o curler.c curler.c: In function 'do_curl': curler.c:292:2: error: offset '1' outside bounds of constant string [-Werror=array-bounds] 292 | snprintf(ua, 1024, "%s %d.%d.%d (%s) / (libcurl/%s)", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 293 | LIBNAME, LIBMTDAC_MAJOR_VERSION, LIBMTDAC_MINOR_VERSION, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 294 | LIBMTDAC_MICRO_VERSION, GIT_VERSION + 1, verinfo->version); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The GIT_VERSION is empty! and just above that we have fatal: unsafe repository ('/__w/libmtdac/libmtdac' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /__w/libmtdac/libmtdac This is the result of trying to run git describe --long --dirty GitHub have made some changes to the actions/checkout@...[2] to workaround this, however this doesn't persist beyond the initial checkout stage[3] and so the git command fails in the Makefile where we try and get the version. To fix this we need to set the safe.directory ourselves from the make action. This updates all the builds, except centos_7 where we don't install git, as it won't harm older gits that don't have this issue and don't know about safe.directory (they'll just ignore that setting). [0]: https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ [1]: https://github.blog/2022-04-12-git-security-vulnerability-announced/ [2]: actions/checkout#762 [3]: actions/checkout#766 Signed-off-by: Andrew Clayton <andrew@digital-domain.net>

liskin · 2022-05-01T12:01:03Z

This does carry some limitations, it doesn't persist this configuration for the duration of the job mainly. So if your job pushes to git or something after checkout, that will continue to fail. We need to figure out how to address this at an ecosystem level, outside of the checkout action.

This doesn't just affect stuff like pushing to git, it breaks even relatively common things like "git status", "git describe", basically any git command at all. Therefore anyone who uses that sort of information in their jobs will see breakage. In my case, https://github.com/pypa/setuptools_scm no longer works. Is there an issue tracking the "addressing this at an ecosystem level" which I can watch and get notified when it's resolved? Thanks!

- issue: actions/checkout#760 - fix: actions/checkout#762

Error message was: """ fatal: unsafe repository ('/github/workspace' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /github/workspace """ Reference: actions/checkout#762

By bumping the version of this action to v3, it incorporates the setting of safe mode on the repo directories, avoiding the error: fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /__w/avocado/avocado Error: Process completed with exit code 128. Reference: actions/checkout#762 Signed-off-by: Cleber Rosa <crosa@redhat.com>

This workflow is currently failing, giving the following error: fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /__w/avocado/avocado Error: Process completed with exit code 128. The checkout action, on version 3, has the capability to set the safe mode on repos it checks out, but, it's limited to the scope of that action. Let's work around this limitation and more recent git behavior and set the safe mode on the repo directory manually. Reference: actions/checkout#762 Signed-off-by: Cleber Rosa <crosa@redhat.com>

This workflow is currently failing, giving the following error: fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /__w/avocado/avocado Error: Process completed with exit code 128. Let's work around this limitation and more recent git behavior and set the safe mode on the repo directory manually. Reference: actions/checkout#762 Signed-off-by: Cleber Rosa <crosa@redhat.com>

Fixes an issue introduced with a recent git update (https://github.blog/2022-04-12-git-security-vulnerability-announced/) with a common workaround (actions/checkout#762, https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else, actions/checkout#760), by marking the /data directory inside the container as safe for git during the container build.

* tooling: git safe repo directory for docker image Fixes an issue introduced with a recent git update (https://github.blog/2022-04-12-git-security-vulnerability-announced/) with a common workaround (actions/checkout#762, https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else, actions/checkout#760), by marking the /data directory inside the container as safe for git during the container build. * tooling: point git to directory instead of disabling security features Easier to maintain version of 7c2b552 that additionally does not fiddle with security sensitive settings. * style(Makefile): docker git env into separate variable * tooling: extract repo location inside container into variable * tooling: replace missing hardcoded /data with variable Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> * tooling(delete-rem-tags): pass git commit info (#19) * tooling(delete-rem-tags): pass git commit info Passes git author information via environment variables into the docker container, in order to ensure commits done by the script have correct author information. * tooling(delete-rem-tags): pass git full commit info Pass not only author information, but committer information too, since git seems to be *sometimes* unhappy with only author information, for whatever reason. * tooling: makefile formatting Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> * tooling: makefile formatting Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> * tooling: makefile formatting Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de>

TingluoHuang reviewed Apr 13, 2022

View changes

src/git-source-provider.ts Outdated Show resolved Hide resolved

TingluoHuang reviewed Apr 13, 2022

View changes

src/git-command-manager.ts Outdated Show resolved Hide resolved

TingluoHuang reviewed Apr 13, 2022

View changes

src/git-source-provider.ts Outdated Show resolved Hide resolved

ethomson reviewed Apr 13, 2022

View changes

src/git-source-provider.ts Outdated Show resolved Hide resolved

thboop reviewed Apr 13, 2022

View changes

src/git-source-provider.ts Show resolved Hide resolved

thboop reviewed Apr 13, 2022

View changes

src/git-auth-helper.ts Outdated Show resolved Hide resolved

thboop reviewed Apr 13, 2022

View changes

src/git-source-provider.ts Show resolved Hide resolved

creachadair mentioned this pull request Apr 13, 2022

Work around a permissions bug in actions/checkout. tendermint/tendermint#8339

Merged