Enforce safe directory
Merged
+240
−165
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TingluoHuang
reviewed
Apr 13, 2022
TingluoHuang
reviewed
Apr 13, 2022
TingluoHuang
reviewed
Apr 13, 2022
ethomson
reviewed
Apr 13, 2022
thboop
reviewed
Apr 13, 2022
| // Arrange | ||
| await setup(removeGlobalAuth_removesOverride) |
There was a problem hiding this comment.
Renamed this function, changes are a result of that
thboop
reviewed
Apr 13, 2022
thboop
reviewed
Apr 13, 2022
thboop
reviewed
Apr 13, 2022
|
@thboop thanks a lot for taking quick action! Do you have an ETA on when you plan to land this fix? |
TingluoHuang
reviewed
Apr 14, 2022
TingluoHuang
reviewed
Apr 14, 2022
TingluoHuang
reviewed
Apr 14, 2022
TingluoHuang
reviewed
Apr 14, 2022
TingluoHuang
reviewed
Apr 14, 2022
TingluoHuang
reviewed
Apr 14, 2022
thboop
reviewed
Apr 14, 2022
TingluoHuang
reviewed
Apr 14, 2022
TingluoHuang
reviewed
Apr 14, 2022
TingluoHuang
approved these changes
Apr 14, 2022
ac000
added a commit
to ac000/libmtdac
that referenced
this issue
Apr 23, 2022
Git recently made some updates[0][1] fixing a CVE.
This has unfortunately caused the build on Alpine to fail with the
following
gcc -MT .objs/curler.o -MMD -MP -MF .d/curler.o.Td -Werror -Wall -Wextra -Wdeclaration-after-statement -Wvla -Wmissing-prototypes -Wstrict-prototypes -Wold-style-definition -std=gnu99 -g -O2 -Wp,-D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -fno-common -fstack-protector -fPIC -fexceptions -fvisibility=hidden -I../include/libmtdac -DLIBNAME=\"libmtdac\" -DGIT_VERSION=\"\" -pipe -c -o .objs/curler.o curler.c
curler.c: In function 'do_curl':
curler.c:292:2: error: offset '1' outside bounds of constant string [-Werror=array-bounds]
292 | snprintf(ua, 1024, "%s %d.%d.%d (%s) / (libcurl/%s)",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
293 | LIBNAME, LIBMTDAC_MAJOR_VERSION, LIBMTDAC_MINOR_VERSION,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
294 | LIBMTDAC_MICRO_VERSION, GIT_VERSION + 1, verinfo->version);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The GIT_VERSION is empty! and just above that we have
fatal: unsafe repository ('/__w/libmtdac/libmtdac' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/libmtdac/libmtdac
This is the result of trying to run
git describe --long --dirty
GitHub have made some changes to the actions/checkout@...[2] to
workaround this, however this doesn't persist beyond the initial
checkout stage[3] and so the git command fails in the Makefile where we
try and get the version.
To fix this we need to set the safe.directory ourselves from the make
action. This updates all the builds as it won't harm older gits that
don't have this issue and don't know about safe.directory (they'll just
ignore that setting).
[0]: https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/
[1]: https://github.blog/2022-04-12-git-security-vulnerability-announced/
[2]: actions/checkout#762
[3]: actions/checkout#766
Signed-off-by: Andrew Clayton <andrew@digital-domain.net>
ac000
added a commit
to ac000/libmtdac
that referenced
this issue
Apr 23, 2022
Git recently made some updates[0][1] fixing a CVE.
This has unfortunately caused the build on Alpine to fail with the
following
gcc -MT .objs/curler.o -MMD -MP -MF .d/curler.o.Td -Werror -Wall -Wextra -Wdeclaration-after-statement -Wvla -Wmissing-prototypes -Wstrict-prototypes -Wold-style-definition -std=gnu99 -g -O2 -Wp,-D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -fno-common -fstack-protector -fPIC -fexceptions -fvisibility=hidden -I../include/libmtdac -DLIBNAME=\"libmtdac\" -DGIT_VERSION=\"\" -pipe -c -o .objs/curler.o curler.c
curler.c: In function 'do_curl':
curler.c:292:2: error: offset '1' outside bounds of constant string [-Werror=array-bounds]
292 | snprintf(ua, 1024, "%s %d.%d.%d (%s) / (libcurl/%s)",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
293 | LIBNAME, LIBMTDAC_MAJOR_VERSION, LIBMTDAC_MINOR_VERSION,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
294 | LIBMTDAC_MICRO_VERSION, GIT_VERSION + 1, verinfo->version);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The GIT_VERSION is empty! and just above that we have
fatal: unsafe repository ('/__w/libmtdac/libmtdac' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/libmtdac/libmtdac
This is the result of trying to run
git describe --long --dirty
GitHub have made some changes to the actions/checkout@...[2] to
workaround this, however this doesn't persist beyond the initial
checkout stage[3] and so the git command fails in the Makefile where we
try and get the version.
To fix this we need to set the safe.directory ourselves from the make
action.
This updates all the builds, except centos_7 where we don't install git,
as it won't harm older gits that don't have this issue and don't know
about safe.directory (they'll just ignore that setting).
[0]: https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/
[1]: https://github.blog/2022-04-12-git-security-vulnerability-announced/
[2]: actions/checkout#762
[3]: actions/checkout#766
Signed-off-by: Andrew Clayton <andrew@digital-domain.net>
6 tasks
This doesn't just affect stuff like pushing to git, it breaks even relatively common things like "git status", "git describe", basically any git command at all. Therefore anyone who uses that sort of information in their jobs will see breakage. In my case, https://github.com/pypa/setuptools_scm no longer works. Is there an issue tracking the "addressing this at an ecosystem level" which I can watch and get notified when it's resolved? Thanks! |
rcgoodfellow
added a commit
to oxidecomputer/dlpi-sys
that referenced
this issue
May 5, 2022
- issue: actions/checkout#760 - fix: actions/checkout#762
chschuermann
added a commit
to dreipol/git-mirror-action
that referenced
this issue
May 11, 2022
Error message was:
"""
fatal: unsafe repository ('/github/workspace' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /github/workspace
"""
Reference:
actions/checkout#762
clebergnu
added a commit
to clebergnu/avocado
that referenced
this issue
May 11, 2022
By bumping the version of this action to v3, it incorporates the
setting of safe mode on the repo directories, avoiding the error:
fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/avocado/avocado
Error: Process completed with exit code 128.
Reference: actions/checkout#762
Signed-off-by: Cleber Rosa <crosa@redhat.com>
clebergnu
added a commit
to clebergnu/avocado
that referenced
this issue
May 11, 2022
By bumping the version of this action to v3, it incorporates the
setting of safe mode on the repo directories, avoiding the error:
fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/avocado/avocado
Error: Process completed with exit code 128.
Reference: actions/checkout#762
Signed-off-by: Cleber Rosa <crosa@redhat.com>
clebergnu
added a commit
to clebergnu/avocado
that referenced
this issue
May 11, 2022
By bumping the version of this action to v3, it incorporates the
setting of safe mode on the repo directories, avoiding the error:
fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/avocado/avocado
Error: Process completed with exit code 128.
Reference: actions/checkout#762
Signed-off-by: Cleber Rosa <crosa@redhat.com>
clebergnu
added a commit
to clebergnu/avocado
that referenced
this issue
May 11, 2022
This workflow is currently failing, giving the following error:
fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/avocado/avocado
Error: Process completed with exit code 128.
The checkout action, on version 3, has the capability to set the safe
mode on repos it checks out, but, it's limited to the scope of that
action.
Let's work around this limitation and more recent git behavior and set
the safe mode on the repo directory manually.
Reference: actions/checkout#762
Signed-off-by: Cleber Rosa <crosa@redhat.com>
clebergnu
added a commit
to clebergnu/avocado
that referenced
this issue
May 13, 2022
This workflow is currently failing, giving the following error:
fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/avocado/avocado
Error: Process completed with exit code 128.
Let's work around this limitation and more recent git behavior and set
the safe mode on the repo directory manually.
Reference: actions/checkout#762
Signed-off-by: Cleber Rosa <crosa@redhat.com>
clebergnu
added a commit
to clebergnu/avocado
that referenced
this issue
May 16, 2022
This workflow is currently failing, giving the following error:
fatal: unsafe repository ('/__w/avocado/avocado' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /__w/avocado/avocado
Error: Process completed with exit code 128.
Let's work around this limitation and more recent git behavior and set
the safe mode on the repo directory manually.
Reference: actions/checkout#762
Signed-off-by: Cleber Rosa <crosa@redhat.com>
6 tasks
3 tasks
This was referenced Jun 14, 2022
liketechnik
added a commit
to Compilerbau/CB-Lecture-Bachelor
that referenced
this issue
Jul 5, 2022
Fixes an issue introduced with a recent git update (https://github.blog/2022-04-12-git-security-vulnerability-announced/) with a common workaround (actions/checkout#762, https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else, actions/checkout#760), by marking the /data directory inside the container as safe for git during the container build.
liketechnik
added a commit
to Compilerbau/CB-Lecture-Bachelor
that referenced
this issue
Jul 5, 2022
Fixes an issue introduced with a recent git update (https://github.blog/2022-04-12-git-security-vulnerability-announced/) with a common workaround (actions/checkout#762, https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else, actions/checkout#760), by marking the /data directory inside the container as safe for git during the container build.
7 tasks
cagix
added a commit
to Compilerbau/CB-Lecture-Bachelor
that referenced
this issue
Jul 18, 2022
* tooling: git safe repo directory for docker image Fixes an issue introduced with a recent git update (https://github.blog/2022-04-12-git-security-vulnerability-announced/) with a common workaround (actions/checkout#762, https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else, actions/checkout#760), by marking the /data directory inside the container as safe for git during the container build. * tooling: point git to directory instead of disabling security features Easier to maintain version of 7c2b552 that additionally does not fiddle with security sensitive settings. * style(Makefile): docker git env into separate variable * tooling: extract repo location inside container into variable * tooling: replace missing hardcoded /data with variable Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> * tooling(delete-rem-tags): pass git commit info (#19) * tooling(delete-rem-tags): pass git commit info Passes git author information via environment variables into the docker container, in order to ensure commits done by the script have correct author information. * tooling(delete-rem-tags): pass git full commit info Pass not only author information, but committer information too, since git seems to be *sometimes* unhappy with only author information, for whatever reason. * tooling: makefile formatting Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> * tooling: makefile formatting Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> * tooling: makefile formatting Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de> Co-authored-by: Carsten Gips <cagix@fh-bielefeld.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
This pr fixes #760 by setting the repositories path as a safe directory when running checkout and removing that config on cleanup.
We aren't able to set it as a local config, as this setting only works for global configs.
So, using the standard we used for submodules, lets go ahead and copy the existing global config to a new location. Then we can go ahead and modify that global config (so we don't modify like a users global config if they test something on a self hosted runner real fast). Then, we can delete that global config at the end of the checkout step.
This does carry some limitations, it doesn't persist this configuration for the duration of the job mainly. So if your job pushes to git or something after checkout, that will continue to fail. We need to figure out how to address this at an ecosystem level, outside of the checkout action.