Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(GH-535) Fix for safe directories #549

Merged
merged 2 commits into from
Jun 22, 2022
Merged

(GH-535) Fix for safe directories #549

merged 2 commits into from
Jun 22, 2022

Conversation

chelnak
Copy link

@chelnak chelnak commented Jun 15, 2022
edited
Loading

After git was patched for CVE-2022-24765 the git binary would fail to execute in a repository that was owned by another user or group.

As of git 2.35.2, you can specify the safe.directory configuration or for prior versions define the GIT_CEILING_DIRECTORIES environment variable to whitelist known directories.

For users of VCSRepo running newer of git, there was no obvious way to apply the remediation.

This PR will close #535 by adding a safe_directory property to the type, allowing users to explicitly mark a path as 'safe'.

@puppet-community-rangefinder
Copy link

vcsrepo is a type

Breaking changes to this file WILL impact these 173 modules (exact match):
Breaking changes to this file MAY impact these 65 modules (near match):

This module is declared in 109 of 579 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@chelnak
Copy link
Author

chelnak commented Jun 15, 2022

Merge of #548 needed followed by rebase before work on this can continue.

@chelnak chelnak linked an issue Jun 15, 2022 that may be closed by this pull request
ensure => latest now broken after CVE-2022-24765 patch. #535
Closed
@chelnak chelnak force-pushed the GH-535-safe_directories branch 3 times, most recently from fba9e2d to 7f7c403 Compare June 15, 2022 09:50
@chelnak chelnak marked this pull request as ready for review June 16, 2022 10:10
@chelnak chelnak requested a review from a team as a code owner June 16, 2022 10:10
@chelnak chelnak mentioned this pull request Jun 16, 2022
Closed
david22swan
david22swan previously approved these changes Jun 16, 2022
View reviewed changes
@chelnak chelnak force-pushed the GH-535-safe_directories branch 9 times, most recently from 55a7859 to 2a4f83b Compare June 17, 2022 09:52
@chelnak chelnak changed the title (GH-535) Fix for safe directories (WIP) (GH-535) Fix for safe directories Jun 17, 2022
@chelnak
(GH-535) Fix for safe directories
5eb8ddb 
Prior to this commit, users running newer versions of Git and setting
the `owner` parameter on a resource would encounter an error during
puppet runs.

This commit fixes the issue by allowing users to add the path of the
resources to Gits global `safe.directoy` configuration.

This can be achieved by specifying `safe_directory => true` on a resource.
@chelnak
(GH-535) Documentation update for safe_directory parameter
af77ebd 
This commit adds a section to the README that briefly describes the CVE
and our mitigation to errors caused by it's remediation in later Git
versions.
@chelnak chelnak self-assigned this Jun 17, 2022
@chelnak chelnak closed this Jun 20, 2022
@chelnak chelnak reopened this Jun 20, 2022
@puppet-community-rangefinder
Copy link

vcsrepo is a type

Breaking changes to this file WILL impact these 173 modules (exact match):
Breaking changes to this file MAY impact these 65 modules (near match):

This module is declared in 109 of 579 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@chelnak chelnak merged commit 478df76 into main Jun 22, 2022
@chelnak chelnak deleted the GH-535-safe_directories branch June 22, 2022 12:29
@mfuhrmann
Copy link

@chelnak Thanks for working on that! How can I get this patch? Will this be added into future version?
Here we still have version 5 from 2021: https://forge.puppet.com/modules/puppetlabs/vcsrepo

@chelnak
Copy link
Author

chelnak commented Jun 24, 2022

Hello hello!

I wanted to let it rest in main for a few days just to see if anything popped up.

I'll cut a release today 👍

@chelnak chelnak added the bugfix label Jun 24, 2022
@chelnak
Copy link
Author

chelnak commented Jun 24, 2022

@mfuhrmann v5.1.0 is up on the forge now 😄

@KoenDierckx KoenDierckx mentioned this pull request Aug 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david22swan david22swan david22swan approved these changes

@LukasAud LukasAud LukasAud approved these changes

Assignees

@chelnak chelnak

Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ensure => latest now broken after CVE-2022-24765 patch.
4 participants
@chelnak @mfuhrmann @david22swan @LukasAud