git submodule: update=!command

git submodule: update=!command

[Ryan Lortie]

karaj,

'man git-submodule' contains mention (in one place) that:

    Setting the key submodule.$name.update to !command
    will cause command to be run.

This is not documented in 'man gitmodules' (which documents the other
possible values for the 'update' key) nor in 'man git-config' which also
mentions the 'update' key (but refers readers to the two other pages).

This feature is scary.  The idea that arbitrary code could be executed
on my machine when I run innocent-looking git commands, based on the
content of the .gitmodules file is enough to  give pause to anybody.

Fortunately, it seems that (for now?) this is not really the case.  'git
submodule init' will copy the values of the 'update' key from
.gitmodules to your local git config, but only if they are one of
"none", "checkout", "merge" or "rebase".

So, I guess I'm asking two things.

The first is a question about git's basic policy with respect to things
like this.  I hope that it's safe to assume that running 'git' commands
on repositories downloaded from potentially-hostile places will never
result in the authors of those repositories being able to run code on my
machine.

If that is true then, the second request would be to spell this out more
explicitly in the relevant documentation.  I'm happy to write a patch to
do that, if it is deemed appropriate.

Thanks in advance.

Cheers

Re: git submodule: update=!command

[Jeff King]

On Tue, Mar 17, 2015 at 03:28:57PM -0400, Ryan Lortie wrote:

> The first is a question about git's basic policy with respect to things
> like this.  I hope that it's safe to assume that running 'git' commands
> on repositories downloaded from potentially-hostile places will never
> result in the authors of those repositories being able to run code on my
> machine.

Definitely, our policy is that downloading a git repository should not
result in arbitrary code being run. If there is a case of that, it would
be a serious security bug.

I am not an expert on submodules, but I think the security module there
is:

  1. You can do whatever you like in submodule.*.update entries in
     .git/config, including arbitrary code. Nobody but the user can
     write to it.

  2. The submodule code may migrate entries from .gitmodules into
     .git/config, but does so with an allow-known-good whitelist (see
     git-submodule.sh lines 622-637).

So AFAICT there's no bug here, and the system is working as designed.
It might be worth mentioning that restriction in the submodule
documentation, if only to prevent non-malicious people from wondering
why adding "!foo" does not work in .gitmodules.

> If that is true then, the second request would be to spell this out more
> explicitly in the relevant documentation.  I'm happy to write a patch to
> do that, if it is deemed appropriate.

Yeah, spelling out the security model more explicitly would be good.
There is also some subtlety around hooks. Doing:

  git clone user@host:/path/to/repo.git local

should never run code controlled by "repo.git" as "user@host". But
doing:

  ssh user@host 'cd /path/to/repo.git && git log'

will respect the .git/config in repo.git, which may include arbitrary
commands.

-Peff

Re: git submodule: update=!command

[Ryan Lortie]

[-- Attachment #1: Type: text/plain, Size: 160 bytes --]

On Tue, Mar 17, 2015, at 15:50, Jeff King wrote:
> Yeah, spelling out the security model more explicitly would be good.

Please see the attached patch.

Cheers

[-- Attachment #2: 0001-docs-clarify-command-submodule-update-policy.patch --]
[-- Type: application/octet-stream, Size: 2625 bytes --]

From a6d70056f21f039db8676f72a1deca00c39121bd Mon Sep 17 00:00:00 2001
From: Ryan Lortie <desrt@desrt.ca>
Date: Tue, 17 Mar 2015 16:29:51 -0400
Subject: [PATCH] docs: clarify !command submodule update policy

Clarify that the !command submodule update policy is not available from
.gitmodules files.

This should help calm any fears people have about the security
implications of this otherwise scary-looking feature.

Signed-off-by: Ryan Lortie <desrt@desrt.ca>
---
 Documentation/git-submodule.txt | 10 +++++++---
 Documentation/gitmodules.txt    | 11 ++++++++---
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/Documentation/git-submodule.txt b/Documentation/git-submodule.txt
index 8e6af65..a033e26 100644
--- a/Documentation/git-submodule.txt
+++ b/Documentation/git-submodule.txt
@@ -159,9 +159,13 @@ update::
 	This will make the submodules HEAD be detached unless `--rebase` or
 	`--merge` is specified or the key `submodule.$name.update` is set to
 	`rebase`, `merge` or `none`. `none` can be overridden by specifying
-	`--checkout`. Setting the key `submodule.$name.update` to `!command`
-	will cause `command` to be run. `command` can be any arbitrary shell
-	command that takes a single argument, namely the sha1 to update to.
+	`--checkout`.
++
+Setting the key `submodule.$name.update` in `.git/config` to
+`!command` will cause `command` to be run. `command` can be any
+arbitrary shell command that takes a single argument, namely the sha1
+to update to.  For security reasons, this feature is not supported
+from the `.gitmodules` file.
 +
 If the submodule is not yet initialized, and you just want to use the
 setting as stored in .gitmodules, you can automatically initialize the
diff --git a/Documentation/gitmodules.txt b/Documentation/gitmodules.txt
index f6c0dfd..f11e872 100644
--- a/Documentation/gitmodules.txt
+++ b/Documentation/gitmodules.txt
@@ -47,9 +47,14 @@ submodule.<name>.update::
 	in the submodule.
 	If 'none', the submodule with name `$name` will not be updated
 	by default.
-
-	This config option is overridden if 'git submodule update' is given
-	the '--merge', '--rebase' or '--checkout' options.
++
+This config option is overridden if 'git submodule update' is given
+the '--merge', '--rebase' or '--checkout' options.
++
+Only the values 'checkout', 'rebase', 'merge' and 'none' are
+recognized when this key appears in the `.gitmodules` file.  In
+particular, '!command' is not recognised, and will be rewritten to
+'none' by "git submodule init".
 
 submodule.<name>.branch::
 	A remote branch name for tracking updates in the upstream submodule.
-- 
2.1.4

Re: git submodule: update=!command

[Junio C Hamano]

Ryan Lortie <desrt@desrt.ca> writes:

> 'man git-submodule' contains mention (in one place) that:
>
>     Setting the key submodule.$name.update to !command
>     will cause command to be run.
>
> This is not documented in 'man gitmodules' (which documents the other
> possible values for the 'update' key)

Yes, that is deliberate, because you cannot use !command in .gitmodules
that is tracked for security reasons.

With more recent versions of Git, namely, the versions after
30a52c1d (Merge branch 'ms/submodule-update-config-doc' into maint,
2015-03-13), the documentation pages already have updated
descriptions around this area.

Re: git submodule: update=!command

[Ryan Lortie]

On Tue, Mar 17, 2015, at 16:49, Junio C Hamano wrote:
> With more recent versions of Git, namely, the versions after
> 30a52c1d (Merge branch 'ms/submodule-update-config-doc' into maint,
> 2015-03-13), the documentation pages already have updated
> descriptions around this area.

sigh.

That's what I get for forgetting to type 'git pull' before writing a
patch.

Sorry for the noise!

Cheers

Re: git submodule: update=!command

[Junio C Hamano]

Ryan Lortie <desrt@desrt.ca> writes:

> On Tue, Mar 17, 2015, at 16:49, Junio C Hamano wrote:
>> With more recent versions of Git, namely, the versions after
>> 30a52c1d (Merge branch 'ms/submodule-update-config-doc' into maint,
>> 2015-03-13), the documentation pages already have updated
>> descriptions around this area.
>
> sigh.
>
> That's what I get for forgetting to type 'git pull' before writing a
> patch.
>
> Sorry for the noise!

Nothing to apologise or sigh about.  You re-confirmed that the old
documentation was lacking, which led to an earlier discussion which
in turn led to Michal to update the documentation.  If you check the
output from

    git diff 30a52c1d^ 30a52c1d

and find it appropriately address the problem you originally had,
that would be wonderful, and if you can suggest further improvement,
that is equally good.

Thanks for participating in our effort to collectively make Git
better.

Re: git submodule: update=!command

[Ryan Lortie]

kara,

On Tue, Mar 17, 2015, at 17:05, Junio C Hamano wrote:
> If you check the output from
> 
>     git diff 30a52c1d^ 30a52c1d
> 
> and find it appropriately address the problem you originally had,
> that would be wonderful, and if you can suggest further improvement,
> that is equally good.

Indeed, the new version of the docs looks much better.  I'm particularly
happy about the change to the format to make it easier to visually scan
for the possible update modes.

Cheers

Re: git submodule: update=!command

[Chris Packham]

A little late to this thread

On Wed, Mar 18, 2015 at 8:50 AM, Jeff King <peff@peff.net> wrote:
> On Tue, Mar 17, 2015 at 03:28:57PM -0400, Ryan Lortie wrote:
>
>> The first is a question about git's basic policy with respect to things
>> like this.  I hope that it's safe to assume that running 'git' commands
>> on repositories downloaded from potentially-hostile places will never
>> result in the authors of those repositories being able to run code on my
>> machine.
>
> Definitely, our policy is that downloading a git repository should not
> result in arbitrary code being run. If there is a case of that, it would
> be a serious security bug.
>
> I am not an expert on submodules, but I think the security module there
> is:
>
>   1. You can do whatever you like in submodule.*.update entries in
>      .git/config, including arbitrary code. Nobody but the user can
>      write to it.

Which was always the intention of the !command feature. It's for users
who want to use additional git porcelains that need some help dealing
with submodule updates (e.g stgit).

>   2. The submodule code may migrate entries from .gitmodules into
>      .git/config, but does so with an allow-known-good whitelist (see
>      git-submodule.sh lines 622-637).
>
> So AFAICT there's no bug here, and the system is working as designed.
> It might be worth mentioning that restriction in the submodule
> documentation, if only to prevent non-malicious people from wondering
> why adding "!foo" does not work in .gitmodules.

At the time the !command feature and copying of update config from
.gitmodules slid past each other on the list. But out of that I think
we got a much better handling that provides security and version
compatibility.

>> If that is true then, the second request would be to spell this out more
>> explicitly in the relevant documentation.  I'm happy to write a patch to
>> do that, if it is deemed appropriate.
>
> Yeah, spelling out the security model more explicitly would be good.
> There is also some subtlety around hooks. Doing:
>
>   git clone user@host:/path/to/repo.git local
>
> should never run code controlled by "repo.git" as "user@host". But
> doing:
>
>   ssh user@host 'cd /path/to/repo.git && git log'
>
> will respect the .git/config in repo.git, which may include arbitrary
> commands.
>
> -Peff

Re: git submodule: update=!command

[Chris Packham]

On Wed, Mar 18, 2015 at 10:05 AM, Junio C Hamano <gitster@pobox.com> wrote:
> Ryan Lortie <desrt@desrt.ca> writes:
>
>> On Tue, Mar 17, 2015, at 16:49, Junio C Hamano wrote:
>>> With more recent versions of Git, namely, the versions after
>>> 30a52c1d (Merge branch 'ms/submodule-update-config-doc' into maint,
>>> 2015-03-13), the documentation pages already have updated
>>> descriptions around this area.
>>
>> sigh.
>>
>> That's what I get for forgetting to type 'git pull' before writing a
>> patch.
>>
>> Sorry for the noise!
>
> Nothing to apologise or sigh about.  You re-confirmed that the old
> documentation was lacking, which led to an earlier discussion which
> in turn led to Michal to update the documentation.  If you check the
> output from
>
>     git diff 30a52c1d^ 30a52c1d
>
> and find it appropriately address the problem you originally had,
> that would be wonderful, and if you can suggest further improvement,
> that is equally good.

I think 30a52c1d could be improved with the following snippet from Ryans patch.

"For security reasons, this feature is not supported from the
`.gitmodules` file"

Or something along those lines.

Re: git submodule: update=!command

[Chris Packham]

On Wed, Mar 18, 2015 at 8:43 PM, Chris Packham <judge.packham@gmail.com> wrote:
> On Wed, Mar 18, 2015 at 10:05 AM, Junio C Hamano <gitster@pobox.com> wrote:
>> Ryan Lortie <desrt@desrt.ca> writes:
>>
>>> On Tue, Mar 17, 2015, at 16:49, Junio C Hamano wrote:
>>>> With more recent versions of Git, namely, the versions after
>>>> 30a52c1d (Merge branch 'ms/submodule-update-config-doc' into maint,
>>>> 2015-03-13), the documentation pages already have updated
>>>> descriptions around this area.
>>>
>>> sigh.
>>>
>>> That's what I get for forgetting to type 'git pull' before writing a
>>> patch.
>>>
>>> Sorry for the noise!
>>
>> Nothing to apologise or sigh about.  You re-confirmed that the old
>> documentation was lacking, which led to an earlier discussion which
>> in turn led to Michal to update the documentation.  If you check the
>> output from
>>
>>     git diff 30a52c1d^ 30a52c1d
>>
>> and find it appropriately address the problem you originally had,
>> that would be wonderful, and if you can suggest further improvement,
>> that is equally good.
>
> I think 30a52c1d could be improved with the following snippet from Ryans patch.
>
> "For security reasons, this feature is not supported from the
> `.gitmodules` file"
>
> Or something along those lines.

Which is actually down the bottom if I take the time to read the whole diff.