fetch/clone: detect dubious ownership of local repositories

When cloning from somebody else's repositories, it is possible that,
say, the `upload-pack` command is overridden in the repository that is
about to be cloned, which would then be run in the user's context who
started the clone.

To remind the user that this is a potentially unsafe operation, let's
extend the ownership checks we have already established for regular
gitdir discovery to extend also to local repositories that are about to
be cloned.

This protection extends also to file:// URLs.

The fixes in this commit address CVE-2024-32004.

Note: This commit does not touch the `fetch`/`clone` code directly, but
instead the function used implicitly by both: `enter_repo()`. This
function is also used by `git receive-pack` (i.e. pushes), by `git
upload-archive`, by `git daemon` and by `git http-backend`. In setups
that want to serve repositories owned by different users than the
account running the service, this will require `safe.*` settings to be
configured accordingly.

Also note: there are tiny time windows where a time-of-check-time-of-use
("TOCTOU") race is possible. The real solution to those would be to work
with `fstat()` and `openat()`. However, the latter function is not
available on Windows (and would have to be emulated with rather
expensive low-level `NtCreateFile()` calls), and the changes would be
quite extensive, for my taste too extensive for the little gain given
that embargoed releases need to pay extra attention to avoid introducing
inadvertent bugs.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

diff --git a/cache.h b/cache.h
index fcf49706ad56ad407774405e94058685c59009ef..a46a3e4b6b1ebc48fe42489edf77701a2a1ac738 100644 (file)
--- a/cache.h
+++ b/cache.h
@@ -606,6 +606,18 @@ void set_git_work_tree(const char *tree);
 
 #define ALTERNATE_DB_ENVIRONMENT "GIT_ALTERNATE_OBJECT_DIRECTORIES"
 
+/*
+ * Check if a repository is safe and die if it is not, by verifying the
+ * ownership of the worktree (if any), the git directory, and the gitfile (if
+ * any).
+ *
+ * Exemptions for known-safe repositories can be added via `safe.directory`
+ * config settings; for non-bare repositories, their worktree needs to be
+ * added, for bare ones their git directory.
+ */
+void die_upon_dubious_ownership(const char *gitfile, const char *worktree,
+                               const char *gitdir);
+
 void setup_work_tree(void);
 /*
  * Find the commondir and gitdir of the repository that contains the current

diff --git a/path.c b/path.c
index 492e17ad12106233ddde63b724992f388693be10..d61f70e87d4cb8dcd34683a8df40ef8f4a2c27b5 100644 (file)
--- a/path.c
+++ b/path.c
@@ -840,6 +840,7 @@ const char *enter_repo(const char *path, int strict)
                if (!suffix[i])
                        return NULL;
                gitfile = read_gitfile(used_path.buf);
+               die_upon_dubious_ownership(gitfile, NULL, used_path.buf);
                if (gitfile) {
                        strbuf_reset(&used_path);
                        strbuf_addstr(&used_path, gitfile);
@@ -850,6 +851,7 @@ const char *enter_repo(const char *path, int strict)
        }
        else {
                const char *gitfile = read_gitfile(path);
+               die_upon_dubious_ownership(gitfile, NULL, path);
                if (gitfile)
                        path = gitfile;
                if (chdir(path))

diff --git a/setup.c b/setup.c
index cefd5f63c4680f7f656084ef72f74784f86e4562..9d401ae4c8f1cb2c0139ffe0bcbcf13c0fe5382b 100644 (file)
--- a/setup.c
+++ b/setup.c
@@ -1165,6 +1165,27 @@ static int ensure_valid_ownership(const char *gitfile,
        return data.is_safe;
 }
 
+void die_upon_dubious_ownership(const char *gitfile, const char *worktree,
+                               const char *gitdir)
+{
+       struct strbuf report = STRBUF_INIT, quoted = STRBUF_INIT;
+       const char *path;
+
+       if (ensure_valid_ownership(gitfile, worktree, gitdir, &report))
+               return;
+
+       strbuf_complete(&report, '\n');
+       path = gitfile ? gitfile : gitdir;
+       sq_quote_buf_pretty(&quoted, path);
+
+       die(_("detected dubious ownership in repository at '%s'\n"
+             "%s"
+             "To add an exception for this directory, call:\n"
+             "\n"
+             "\tgit config --global --add safe.directory %s"),
+           path, report.buf, quoted.buf);
+}
+
 static int allowed_bare_repo_cb(const char *key, const char *value, void *d)
 {
        enum allowed_bare_repo *allowed_bare_repo = d;

diff --git a/t/t0411-clone-from-partial.sh b/t/t0411-clone-from-partial.sh
index fb72a0a9fff31116779be3084d22562e98ac47a7..eb3360dbca035bb2ec4b147936c67eeec9b62404 100755 (executable)
--- a/t/t0411-clone-from-partial.sh
+++ b/t/t0411-clone-from-partial.sh
@@ -23,7 +23,7 @@ test_expect_success 'create evil repo' '
        >evil/.git/shallow
 '
 
-test_expect_failure 'local clone must not fetch from promisor remote and execute script' '
+test_expect_success 'local clone must not fetch from promisor remote and execute script' '
        rm -f script-executed &&
        test_must_fail git clone \
                --upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
@@ -32,7 +32,7 @@ test_expect_failure 'local clone must not fetch from promisor remote and execute
        test_path_is_missing script-executed
 '
 
-test_expect_failure 'clone from file://... must not fetch from promisor remote and execute script' '
+test_expect_success 'clone from file://... must not fetch from promisor remote and execute script' '
        rm -f script-executed &&
        test_must_fail git clone \
                --upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
@@ -41,7 +41,7 @@ test_expect_failure 'clone from file://... must not fetch from promisor remote a
        test_path_is_missing script-executed
 '
 
-test_expect_failure 'fetch from file://... must not fetch from promisor remote and execute script' '
+test_expect_success 'fetch from file://... must not fetch from promisor remote and execute script' '
        rm -f script-executed &&
        test_must_fail git fetch \
                --upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \