From: Glen Choo <firstname.lastname@example.org> To: Junio C Hamano <email@example.com> Cc: firstname.lastname@example.org, Emily Shaffer <email@example.com>, firstname.lastname@example.org, Taylor Blau <email@example.com>, firstname.lastname@example.org, "brian m. carlson" <email@example.com> Subject: Re: Bare repositories in the working tree are a security risk Date: Fri, 15 Apr 2022 15:43:15 -0700 [thread overview] Message-ID: <firstname.lastname@example.org> (raw) In-Reply-To: <email@example.com> Glen Choo <firstname.lastname@example.org> writes: > Junio C Hamano <email@example.com> writes: > >> Glen Choo <firstname.lastname@example.org> writes: >> >>> Yes, I mean that even the current directory will be ignored when >>> discovery is disabled. >> >> OK. >> >>>> I am not sure that >>>> is realistically feasible (I am thinking of cases like "git fetch" >>>> going to the remote repository on the local disk that is bare to run >>>> "git upload-pack"), but if the fallout is not too bad, it may be a >>>> good heuristics. >>> >>> Good detail - I hadn't considered the impact on our own child processes. >>> I suspect this might be a huge undertaking. Unless there is significant >>> interest in this option, I probably won't pursue it further. >> >> I do not necessarily think so. The entry points to transport on the >> server side are quite limited (and the client side is dealing with >> your own repositories anyway), and they already know which directory >> in the server filesystem to hand to the upload-pack and friends, so >> it would be a matter of passing GIT_DIR=$there when they call into the >> run_command() API, if they are not already doing so. > > FWIW I experimented with turning off bare repo recognition altogether > and seeing what breaks. > > CI Run: https://github.com/chooglen/git/runs/6042600953?check_suite_focus=true > > AFAICT, most of the test failures are what we'd expect if we stopped > recognizing bare repos altogether. One stands out to me in particular > though - in t5550-http-fetch-dumb.sh, > > git clone $HTTPD_URL/dumb/repo.git clone-tmpl > > yields > > ++ git clone http://127.0.0.1:5550/dumb/repo.git clone-tmpl > Cloning into 'clone-tmpl'... > fatal: repository 'http://127.0.0.1:5550/dumb/repo.git/' not found > > This sounds to me like Git isn't recognizing the static http files as a > remote Git repo, and if so, --git-dir doesn't sound like it'll save us. > But I'm not that familiar with the transport code so I don't know if > this is a big deal or just a quirk with our httpd tests. Ok I think this is a false alarm - the previous test does some setup on the server, which is a bare repo. It was the _setup_ that was broken, not the actual `git clone`.
next prev parent reply other threads:[~2022-04-15 22:43 UTC|newest] Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-04-06 22:43 Glen Choo 2022-04-06 23:22 ` [PATCH] fsck: detect bare repos in trees and warn Glen Choo 2022-04-07 12:42 ` Johannes Schindelin 2022-04-07 13:21 ` Derrick Stolee 2022-04-07 14:14 ` Ævar Arnfjörð Bjarmason 2022-04-14 20:02 ` Glen Choo 2022-04-15 12:46 ` Ævar Arnfjörð Bjarmason 2022-04-07 15:11 ` Junio C Hamano 2022-04-13 22:24 ` Glen Choo 2022-04-07 13:12 ` Ævar Arnfjörð Bjarmason 2022-04-07 15:20 ` Junio C Hamano 2022-04-07 18:38 ` Bare repositories in the working tree are a security risk John Cai 2022-04-07 21:24 ` brian m. carlson 2022-04-07 21:53 ` Justin Steven 2022-04-07 22:10 ` brian m. carlson 2022-04-07 22:40 ` rsbecker 2022-04-08 5:54 ` Junio C Hamano 2022-04-14 0:03 ` Junio C Hamano 2022-04-14 0:04 ` Glen Choo 2022-04-13 23:44 ` Glen Choo 2022-04-13 20:37 ` Glen Choo 2022-04-13 23:36 ` Junio C Hamano 2022-04-14 16:41 ` Glen Choo 2022-04-14 17:35 ` Junio C Hamano 2022-04-14 18:19 ` Junio C Hamano 2022-04-15 21:33 ` Glen Choo 2022-04-15 22:17 ` Junio C Hamano 2022-04-16 0:52 ` Taylor Blau 2022-04-15 22:43 ` Glen Choo [this message] 2022-04-15 20:13 ` Junio C Hamano 2022-04-15 23:45 ` Glen Choo 2022-04-15 23:59 ` Glen Choo 2022-04-16 1:00 ` Taylor Blau 2022-04-16 1:18 ` Junio C Hamano 2022-04-16 1:30 ` Taylor Blau 2022-04-16 0:34 ` Glen Choo 2022-04-16 0:41 ` Glen Choo 2022-04-16 1:28 ` Taylor Blau 2022-04-21 18:25 ` Emily Shaffer 2022-04-21 18:29 ` Emily Shaffer 2022-04-21 18:47 ` Junio C Hamano 2022-04-21 18:54 ` Taylor Blau 2022-04-21 19:09 ` Taylor Blau 2022-04-21 21:01 ` Emily Shaffer 2022-04-21 21:22 ` Taylor Blau 2022-04-29 23:57 ` Glen Choo 2022-04-30 1:14 ` Taylor Blau 2022-05-02 19:39 ` Glen Choo 2022-05-02 14:05 ` Philip Oakley 2022-05-02 18:50 ` Junio C Hamano
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: Bare repositories in the working tree are a security risk' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).