From: <email@example.com> To: "'brian m. carlson'" <firstname.lastname@example.org>, "'Justin Steven'" <email@example.com> Cc: "'Glen Choo'" <firstname.lastname@example.org>, <email@example.com>, "'Emily Shaffer'" <firstname.lastname@example.org>, "'Taylor Blau'" <email@example.com> Subject: RE: Bare repositories in the working tree are a security risk Date: Thu, 7 Apr 2022 18:40:18 -0400 [thread overview] Message-ID: <firstname.lastname@example.org> (raw) In-Reply-To: <Yk9hONuCIVIq6ieV@camp.crustytoothpaste.net> On April 7, 2022 6:10 PM, brian m. carlson wrote: >On 2022-04-07 at 21:53:26, Justin Steven wrote: >> Hi all, >> >> I'm the author of one of the articles linked in Glen's mail. Thank you >> Glen for summarising the problem beautifully and pushing this forward. >> >> Brian said: >> > As mentioned elsewhere, git status doesn't work without a working tree. >> >> This is correct. However, it is possible to embed a bare repo that has >> its own core.worktree which points to a directory within the >> containing repo, satisfying the requirement of having a working tree. >> This is covered in the article  and looks to be accounted for in >> Taylor's reproducer script which admittedly I haven't run. >> >> > Instead, I'd rather see us avoid executing any program from the >> > config or any hooks in a bare repository without a working tree >> > (except for pushes). I think that would avoid breaking things while >> > still improving security. >> >> Due to the fact that the embedded bare repo can be made to have a >> working tree, this won't be an effective fix. > >Then we'd probably be better off just walking up the entire hierarchy and >excluding worktrees from embedded bare repositories, or otherwise restricting >the config we read. That will probably mean we'll need to walk the entire >directory hierarchy to see if it's embedded (or at least to the root of the device) in >such a case, but that should be relatively uncommon. > >I'd definitely like to see us make a security improvement here, but I also would like >to avoid us breaking a lot of repositories, especially since we lack alternatives. > >If git fast-import could 100% correctly round-trip all commits and repositories, I >would be much more open to blocking this in fsck after a deprecation period, but >as it stands that's not possible. Perhaps improving that would be a suitable way >forward. One option relating to enable/disable this is to set up a config option that, by default is false, to allow embedded bare repositories. At least with enough warning that this option is required, it might be acceptable. I would prefer never to receive a bare repo through any means (including through a more worrying submodule). From an attack vector standpoint, I would be more concerned about this in an automation setting, say GitHub workflows or Jenkins GitSCM. At least with GitHub workflows, this is "somewhat" contained within VMs under GitHub's control - although not entirely. Jenkins is probably more vulnerable as the clones done through that path do not get the same scrutiny, although in my world, I use a dedicated non-root UID and sandbox the whole thing. This topic makes me nervous and wonder whether we should be self-reporting a CVE. Shuddering, Randall
next prev parent reply other threads:[~2022-04-07 22:40 UTC|newest] Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-04-06 22:43 Glen Choo 2022-04-06 23:22 ` [PATCH] fsck: detect bare repos in trees and warn Glen Choo 2022-04-07 12:42 ` Johannes Schindelin 2022-04-07 13:21 ` Derrick Stolee 2022-04-07 14:14 ` Ævar Arnfjörð Bjarmason 2022-04-14 20:02 ` Glen Choo 2022-04-15 12:46 ` Ævar Arnfjörð Bjarmason 2022-04-07 15:11 ` Junio C Hamano 2022-04-13 22:24 ` Glen Choo 2022-04-07 13:12 ` Ævar Arnfjörð Bjarmason 2022-04-07 15:20 ` Junio C Hamano 2022-04-07 18:38 ` Bare repositories in the working tree are a security risk John Cai 2022-04-07 21:24 ` brian m. carlson 2022-04-07 21:53 ` Justin Steven 2022-04-07 22:10 ` brian m. carlson 2022-04-07 22:40 ` rsbecker [this message] 2022-04-08 5:54 ` Junio C Hamano 2022-04-14 0:03 ` Junio C Hamano 2022-04-14 0:04 ` Glen Choo 2022-04-13 23:44 ` Glen Choo 2022-04-13 20:37 ` Glen Choo 2022-04-13 23:36 ` Junio C Hamano 2022-04-14 16:41 ` Glen Choo 2022-04-14 17:35 ` Junio C Hamano 2022-04-14 18:19 ` Junio C Hamano 2022-04-15 21:33 ` Glen Choo 2022-04-15 22:17 ` Junio C Hamano 2022-04-16 0:52 ` Taylor Blau 2022-04-15 22:43 ` Glen Choo 2022-04-15 20:13 ` Junio C Hamano 2022-04-15 23:45 ` Glen Choo 2022-04-15 23:59 ` Glen Choo 2022-04-16 1:00 ` Taylor Blau 2022-04-16 1:18 ` Junio C Hamano 2022-04-16 1:30 ` Taylor Blau 2022-04-16 0:34 ` Glen Choo 2022-04-16 0:41 ` Glen Choo 2022-04-16 1:28 ` Taylor Blau 2022-04-21 18:25 ` Emily Shaffer 2022-04-21 18:29 ` Emily Shaffer 2022-04-21 18:47 ` Junio C Hamano 2022-04-21 18:54 ` Taylor Blau 2022-04-21 19:09 ` Taylor Blau 2022-04-21 21:01 ` Emily Shaffer 2022-04-21 21:22 ` Taylor Blau 2022-04-29 23:57 ` Glen Choo 2022-04-30 1:14 ` Taylor Blau 2022-05-02 19:39 ` Glen Choo 2022-05-02 14:05 ` Philip Oakley 2022-05-02 18:50 ` Junio C Hamano
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com' \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='RE: Bare repositories in the working tree are a security risk' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).