Skip to content

gix-path v0.10.11
Compare
Choose a tag to compare
@Byron Byron released this 06 Sep 05:49
· 281 commits to main since this release
gix-path-v0.10.11
012a754
This commit was signed with the committer’s verified signature.
Byron Sebastian Thiel
GPG key ID: 9CB5EE7895E8268B
Learn about vigilant mode.

Bug Fixes

  • Don't require usable temp dir to get installation config
    When running git config -l ... to find the configuration file
    path associated with the git installation itself, the current
    working directory for the subprocess was set to the current
    directory prior to #1523, and to /tmp or a /tmp-like directory
    since #1523 (which improved performance and security).

    This builds on #1523, as well as on subsequent changes to run git
    in a way that its behavior depends less on its CWD, by making an
    even more robust choice of CWD for the subprocess, so that the CWD
    is less likely to be deeply nested or on network storage; more
    likely to exist; and, on Unix-like systems, less likely to contain
    a .git entry (though a git with security updates should refuse
    to take any configuration from such a repository unless it is owned
    by the user).

    Due to a combination of other measures that harden against
    malicious or unusual contents (especially setting GIT_DIR), the
    most significant benefit of this change is to fix the problem that
    a nonexistent temp dir would prevent the command from succeeding.

    The main way that could happen is if TMPDIR on Unix-like systems,
    or TMP or TEMP on Windows, is set to an incorrect value.
    Because these variables are sometimes reasonable to customize for
    specific purposes, it is plausible for them to be set to incorrect
    values by accident.

    Except on Windows, this always uses / as the CWD for the
    subprocess.

    On Windows, we use the Windows directory (usually C:\Windows)
    rather than the root of the system drive (usually C:\), because:

    • We are currently obtaining this information from environment
      variables, and it is possible for our own parent process to pass
      down an overly sanitized environment.

    Although this can be so sanitized we cannot find the Windows
    directory, this is less likely to occur than being unable to find
    the root of the system drive.

    This due to moderately broad awareness that the SystemRoot
    environment variable (which, somewhat confusingly, holds the path
    of the Windows directory, not the root of the system drive)
    should be preserved even when clearing most other variables.

    Some libraries will even automatically preserve SystemRoot when
    clearing others or restore it. For example:

  • Under the current behavior of env::temp_dir(), which is now a
    fallback if we cannot determine the Windows directory, we already
    fall back to the Windows directory evenutally, if temp dir
    related environment variables are also unset.

    This is because env::temp_dir() usually calls GetTempDir2 in
    the Windows API, which implements that fallback behavior (after
    first trying the user's user profile directory).

    Avoiding adding yet another place to fall back to that would not
    otherwise be attempted slightly decreases behavioral complexity,
    and there is no reason to think a directory like C:\ would work
    when a directory like C:\Windows doesn't.

  • The root of the system drive on a Windows system usually permits
    limited user accounts to create new directories there, so a
    directory like C:\ on Windows actually has most of the
    disadvantages of a location like /tmp on a Unix-like system.

    This is actually a much less significant reason to prefer a
    directory like C:\Windows to a directory like C:\ than it
    might seem. After all, if C:\.git exists and and git uses it
    when run from C:\, then git would usually also use it when
    run from C:\Windows (and from numerous other locations)!

    However, the reason there is still a small reason to prefer a
    location like C:\Windows to a location like C:\ is that, if a
    system has a vulnerable git but a user or system administrator
    has sought to work around it by listing C:\ in
    GIT_CEILING_DIRECTORIES, then that may keep git from
    traversing upward into C:\, but it would not keep C:\ from
    being used if that is where we already are.

    An even more significant reason this motivation is a minor one is
    that the other measures we are taking, including setting
    GIT_DIR, should be sufficient to avoid at least the security
    dimension of the problem, which arises from actually using the
    configuration from a repo that is discovered.

  • The user profile directory may be more deeply nested.

  • The user profile directory may sometimes be on slow network
    storage when the discovered Windows directory is not.

  • In some situations, the user profile directory does not actually
    exist, or does not exist yet.

  • Overly sanitized environments are more likely to lack the
    USERPROFILE vairable than the SystemRoot variable.

  • Users may occasionally choose to have their entire user profile
    directory be a Git repository.

  • It's no easier to avoid the problem of using C:\.git in a user
    profile directory than in C:\Windows: they're usually both under
    C:\, and are both not the same as C:\. (If the user profile
    directory is a repository, then that will avoid that problem, yet
    be its own problem, if not for other measures that prevent both.)

  • If the git command is an old and unpatched vulnerable version
    in which safe.directory is not yet implemented, or in which
    GHSA-j342-m5hw-rr3v
    or other vulnerabilities where git would perform operations on
    untrusted local repositories owned by other users are unpatched,
    then a .git subdirectory of a shared /tmp or /tmp-like
    directory could be created by another account, and its local
    configuration would still have been used. (This is not a bug in
    gitoxide per se; having vulnerable software installed that other
    software may use is inherently insecure. But it is nice to offer
    a small amount of protection against this when readily feasible.)

  • If the /tmp-like location is a Git repository owned by the
    current user, then its local configuration would have been used.

  • dotnet/docs#41193

  • python/cpython#95486 (comment)

  • python/cpython#95486 (comment)

  • Parsing is more reliable for paths containing unusual characters,
    because -z/--null causes all paths to be output literally.

    Previously, " characters were trimmed from the ends, but this
    would not always extract a correct path, because when a path
    contains characters that cause git to enclose it in double
    quotes, those characters are usually represented in a symbolic
    form, usually with \ escapes.

    In some scenarios, such as usually on Windows when the escaped
    character is itself a \ and not in the leading position, the
    mangled path would be usable, but more often it would not.

  • The volume of output is less, because --name-only casues values
    not to be included in the output.

  • The combination of -z/--null and --name-only makes the
    output format simpler, and the parsing logic is accordingly
    simpler.

Commit Statistics

  • 56 commits contributed to the release.
  • 14 days passed between releases.
  • 3 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details
  • Uncategorized
    • Prepare changelogs prior to release. (c759819)
    • Merge pull request #1569 from EliahKagan/config-origin-naming (3cf9694)
    • Rename to GIT_HIGHEST_SCOPE_CONFIG_PATH (0672576)
    • Merge pull request #1568 from EliahKagan/config-origin-next (adbaa2a)
    • Rename EXE_INFO to something that probably captures its contents better. (dd2d666)
    • Run cargo fmt (b11f7db)
    • Make EXE_NAME a const too (fb0b6d8)
    • Make NULL_DEVICE a const, rather than a static item (9917d47)
    • Put first_file_from_config_with_origin test with related ones (57e9a6f)
    • Fix indentation nit (7cd20bb)
    • Merge pull request #1567 from EliahKagan/config-origin (dd65e7b)
    • Improve structure of exe_info tests (5ac5f74)
    • Clarify comment about where we run git from (5200184)
    • Test no local scope with empty system config (6160a83)
    • Don't set/change ceiling directories (2bce0d2)
    • Explore also setting a ceiling directory (073e277)
    • Fix misstatement of Windows directory rationale (4e936bc)
    • Unset a couple env vars just in case (8f6d39d)
    • Simplify the new comments (b827813)
    • Explain why we run git from a different directory (7fa5e35)
    • Small clarity tweaks (598c487)
    • Fix os::windows error on non-Windows (1305114)
    • Refactor for readability; clarify comments (ab0dcc1)
    • Fix unused import on non-Windows systems (8472447)
    • Don't require usable temp dir to get installation config (f70b904)
    • Explain why we don't just use --system (29c6cca)
    • Explain why we don't just use --show-scope (f35e44c)
    • Fix a test name for consistency (15e7b67)
    • Add another broken temp test (c80d562)
    • Extract nonexistent directory logic to a test helper struct (e60540f)
    • Maybe slightly decrease risk of test precondition check failure (56dab13)
    • Adjust some test code for clarity (5c1b4c0)
    • Check env::temp_dir() in both tests that set temp vars (79af259)
    • Clarify assert and expect messages (703f882)
    • Test EXE_INFO no local config even if temp dir doesn't exist (60465a5)
    • Slightly improve quality of test failure messages (9641660)
    • Set GIT_WORK_TREE along with GIT_DIR, to avoid confusion (5723077)
    • More robustly ensure "installation" config is not local (7280a2d)
    • Check that the test affects env::temp_dir() as desired (15cec4e)
    • Fix bug in new test where temp dir should be a repo (744bb38)
    • Test EXE_INFO no local config even if temp dir is a repo (287f267)
    • Code formatting (65d5151)
    • Fix EXE_INFO no local scope test for macOS (49e0715)
    • Add generated archive for local_config.sh (fd065ac)
    • Test that EXE_INFO never has local scope config (5a300e6)
    • Make EXE_INFO testable and add a basic test for it (1ee98bf)
    • Reorder gix_path::env::git tests to match order in code (ccd0401)
    • Extract git_cmd helper for EXE_INFO (de2f35f)
    • Parse installation config path more robustly (650a1b5)
    • Comment Git version compatibility for EXE_INFO (9df57aa)
    • Merge pull request #1557 from Byron/merge-base (649f588)
    • Allow empty-docs (beba720)
    • Merge branch 'global-lints' (37ba461)
    • Workspace Clippy lint management (2e0ce50)
    • Merge pull request #1546 from nyurik/semilocons (f992fb7)
    • Add missing semicolons (ec69c88)
Assets 2
Loading