Skip to content

Commit

Permalink
git_superproject: tell git that superproject is bare
Browse files Browse the repository at this point in the history 
The superproject is initialized as a bare repo in Superproject:_Init().
That means that later operations must treat it as a bare repository,
specifying the gitdir and setting 'bare' appropriately when launching
GitCommand()s. It's also OK not to specify cwd here because GitCommand()
will drop cwd if bare == True anyways.

With this change, it's possible to run `repo init` and `repo sync` with the
Git config 'safe.bareRepository' set to 'explicit'. This config strengthens
Git's security posture against embedded bare repository attacks like
https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md.

Bug: b/227257481
Change-Id: I954a64c6883d2ca2af9c603e7076fd83b52584e9
Reviewed-on: https://gerrit-review.googlesource.com/c/git-repo/+/389794
Reviewed-by: Mike Frysinger <[email protected]>
Tested-by: Jason R. Coombs <[email protected]>
Tested-by: Emily Shaffer <[email protected]>
Reviewed-by: Emily Shaffer <[email protected]>
Commit-Queue: Jason R. Coombs <[email protected]>
  • Loading branch information
Emily Shaffer authored and LUCI committed Nov 9, 2023
1 parent 3652b49 commit 8a6d172
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions git_superproject.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,9 @@ class UpdateProjectsResult(NamedTuple):
class Superproject:
"""Get commit ids from superproject.
Initializes a local copy of a superproject for the manifest. This allows
lookup of commit ids for all projects. It contains _project_commit_ids which
is a dictionary with project/commit id entries.
Initializes a bare local copy of a superproject for the manifest. This
allows lookup of commit ids for all projects. It contains
_project_commit_ids which is a dictionary with project/commit id entries.
"""

def __init__(
Expand Down Expand Up @@ -235,7 +235,8 @@ def _Fetch(self):
p = GitCommand(
None,
cmd,
cwd=self._work_git,
gitdir=self._work_git,
bare=True,
capture_stdout=True,
capture_stderr=True,
)
Expand Down Expand Up @@ -271,7 +272,8 @@ def _LsTree(self):
p = GitCommand(
None,
cmd,
cwd=self._work_git,
gitdir=self._work_git,
bare=True,
capture_stdout=True,
capture_stderr=True,
)
Expand Down

0 comments on commit 8a6d172

Please sign in to comment.