Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate repository directory ownership (v1.3) #6268

Merged
merged 9 commits into from
Apr 12, 2022
Merged

Validate repository directory ownership (v1.3) #6268

merged 9 commits into from
Apr 12, 2022

Conversation

ethomson
Copy link
Member

Backport of #6266 to the v1.3 branch.

@ethomson
online: test with https instead of git protocol
6b12762 
GitHub is removing support for the unauthenticated git protocol; test
with the https protocol.
@ethomson
clone: update bitbucket tests
670415a
@ethomson
path: refactor ownership checks into current user and system
973d959 
Provide individual file ownership checks for both the current user and
the system user, as well as a combined current user and system user
check.
@ethomson
repo: ensure that repo dir is owned by current user
62d492d 
Ensure that the repository directory is owned by the current user; this
prevents us from opening configuration files that may have been created
by an attacker.
@ethomson
fs_path: mock ownership checks
e4eabb0 
Provide a mock for file ownership for testability.
@ethomson
repo: test configuration ownership validation
caee92e 
Test that we prevent opening directories that are not owned by
ourselves.
@ethomson
repo: refactor global config loader function
f683806 
Pull the global configuration loader out of the symlink check so that it
can be re-used.
@ethomson
repo: honor safe.directory during ownership checks
eb8c3e5 
Obey the `safe.directory` configuration variable if it is set in the
global or system configuration. (Do not try to load this from the
repository configuration - to avoid malicious repositories that then
mark themselves as safe.)
@ethomson
repo: make ownership checks optional
b58e905 
Introduce the `GIT_OPT_SET_OWNER_VALIDATION` option, so that users can
disable repository ownership validation.
@ethomson ethomson merged commit a9eac6a into maint/v1.3 Apr 12, 2022
@ethomson ethomson deleted the ethomson/ownership_13 branch April 12, 2022 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@ethomson