Skip to content

Mark the repo as safe for Git #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 27, 2022
Merged

Mark the repo as safe for Git #55

merged 3 commits into from
May 27, 2022

Conversation

abompard
Copy link
Contributor

This relates to actions/checkout#760

Some tests need git to be functional (eg pre-commit checks) and since CVE-2022-24765 git checks directory ownership.

@abompard
Mark the repo as safe for Git
0710b2f 
This relates to actions/checkout#760

Some tests need git to be functional (eg pre-commit checks) and since
CVE-2022-24765 git checks directory ownership.

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
hroncok
hroncok reviewed May 17, 2022
View reviewed changes
Copy link
Member

@hroncok hroncok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @abompard. Interesting stuff. I guess this should be OK, but I made an inline style-only suggestion.

@frenzymadness
Copy link
Member

And it seems there is a problem when the example project is mounted as a volume inside the container.

@hroncok
Copy link
Member

hroncok commented May 17, 2022
edited
Loading

The example project has:

$ cat example_project/.git
gitdir: ../.git/modules/example_project

And that point to a nonexistent directory when mounted in the container. Apparently can be overridden by e.g. git --git-dir=~ config --global --add safe.directory $PWD

hroncok
hroncok reviewed May 17, 2022
View reviewed changes
@hroncok
Copy link
Member

hroncok commented May 17, 2022

Trying that.

@frenzymadness
Copy link
Member

I hit the problem we are trying to fix here in one of my projects so I'm gonna test this PR and we can merge it then.

@frenzymadness
Copy link
Member

This is a little bit tricky to reproduce. What I had to do locally is to add a user inside the running container, change ownership of the /src directory and then run the main entrypoint script. This way I'm able to reproduce the issue and also verify that the proposed fix does not solve it.

The problem is with the levels of git config files:

  • --system is in /etc
  • --global is in $HOME
  • --local is in $PWD/.git

We cannot use --local because we might have that file mounted from outside of the container and we don't want to change it. We cannot use --global because the $HOME variable is not available in tox without explicit passenv=HOME and therefore git cannot find the ~/.gitconfig. So all we have and what seems to work is to use --system when we change the git config. That way the config file is created in /etc and exists only in the running container.

@frenzymadness
Copy link
Member

I can theoretically test this in github actions if I:

  • build and push the new container image to docker hub with some testing tag
  • switch the action to the testing tag and push the change to some testing branch
  • make my project use the testing branch of the github action

Do you think it's worth the effort?

@hroncok
Copy link
Member

hroncok commented May 27, 2022

No.

@frenzymadness
Copy link
Member

No.

And do you think this is ready to be merged?

@hroncok hroncok merged commit 7d6d63a into fedora-python:master May 27, 2022
@frenzymadness
Copy link
Member

I can confirm that the fix solved the problem with pre-commit in one of my projects. Thanks @abompard for making it simpler for us by providing all the information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hroncok hroncok hroncok left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abompard @frenzymadness @hroncok