Harden workspace git indexing against repo-configured fsmonitor execution#1873
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
github-actions
bot
added
size:S
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
ApprovabilityVerdict: Approved Security hardening change that disables fsmonitor and untrackedCache git options when indexing workspace files, preventing potential arbitrary code execution from malicious repo configurations. The changes are defensive, well-tested, and limited in scope. You can customize Macroscope's approvability policy. Learn more. |
macroscopeapp
bot
dismissed
their stale review
Dismissing prior approval to re-evaluate 9b14396
1 participant
Motivation
git ls-filesandgit check-ignoreinside repositories which allowed repo-configured helpers likecore.fsmonitorto execute attacker-supplied code in untrusted repos.Description
WORKSPACE_GIT_HARDENED_CONFIG_ARGSconstant with-c core.fsmonitor=falseand-c core.untrackedCache=falseto explicitly disable repo-configured fsmonitor/untracked-cache helpers.git ls-files ... -zinvocation inlistWorkspaceFilesso workspace file enumeration no longer honors repo helpers.git check-ignore --no-index -z --stdininvocations used byfilterIgnoredPathsso ignore filtering also cannot trigger repo helpers.GitCoreunit tests to expect the hardened args for the check-ignore path and add an additional test asserting the hardened args are passed tols-fileswhile verifying returned paths remain unchanged.Testing
apps/server/src/git/Layers/GitCore.test.tsto assert the hardened git args are used; these tests were committed with the change.bun fmt,bun lint, andbun typecheck, but they could not be executed in this environment becausebunis not installed (/bin/bash: bun: command not found).bun run test/ Vitest) was executed here due to the same missingbunruntime, so test execution results are not available in this environment.Codex Task
Note
Medium Risk
Changes the arguments used for workspace file enumeration and ignore filtering, which could affect performance/behavior in some repos despite being a targeted hardening change. Main risk is unexpected differences in
git ls-files/git check-ignoreoutput or timing on edge-case configurations.Overview
Hardens workspace indexing against repo-configured helper execution. Workspace indexing now prepends
-c core.fsmonitor=false -c core.untrackedCache=falseto the git commands used bylistWorkspaceFiles(git ls-files …) andfilterIgnoredPaths(git check-ignore …) to prevent repository config from triggering fsmonitor/untracked-cache helpers.Tests were updated to expect the hardened args for
check-ignore, and a new unit test assertslistWorkspaceFilespasses the hardened config while preserving parsed path output.Reviewed by Cursor Bugbot for commit 9b14396. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Disable fsmonitor and untracked cache for workspace git indexing commands
Adds a shared
WORKSPACE_GIT_HARDENED_CONFIG_ARGSconstant (-c core.fsmonitor=false -c core.untrackedCache=false) and prepends it to the git invocations inGitCore.listWorkspaceFilesandGitCore.filterIgnoredPaths. This prevents repo-configured fsmonitor hooks from interfering with workspace file indexing and ignore filtering.Macroscope summarized 9b14396.