Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=v2.40.2 2024-04-19T10:38:24Z 2024-04-19T10:38:24Z Johannes Schindelin johannes.schindelin@gmx.de 2024-03-29T12:15:32Z urn:sha1:4412a04fe6f7e632269a6668a4f367230ca2c0e0 The ability to configuring the template directory is a delicate feature: It allows defining hooks that will be run e.g. during a `git clone` operation, such as the `post-checkout` hook. As such, it is of utmost importance that Git would not allow that config setting to be changed during a `git clone` by mistake, allowing an attacker a chance for a Remote Code Execution, allowing attackers to run arbitrary code on unsuspecting users' machines. As a defense-in-depth measure, to prevent minor vulnerabilities in the `git clone` code from ballooning into higher-serverity attack vectors, let's make this a protected setting just like `safe.directory` and friends, i.e. ignore any `init.templateDir` entries from any local config. Note: This does not change the behavior of any recursive clone (modulo bugs), as the local repository config is not even supposed to be written while cloning the superproject, except in one scenario: If a config template is configured that sets the template directory. This might be done because `git clone --recurse-submodules --template=<directory>` does not pass that template directory on to the submodules' initialization. Another scenario where this commit changes behavior is where repositories are _not_ cloned recursively, and then some (intentional, benign) automation configures the template directory to be used before initializing the submodules. So the caveat is that this could theoretically break existing processes. In both scenarios, there is a way out, though: configuring the template directory via the environment variable `GIT_TEMPLATE_DIR`. This change in behavior is a trade-off between security and backwards-compatibility that is struck in favor of security. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2022-11-08T19:55:30Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-11-08T14:10:33Z urn:sha1:44874cbd19afb6ee6fa7dad01dbe6eec161cc94b Exhaustively test for how combining various "mixed-level" "git submodule" option works. "Mixed-level" here means options that are accepted by a mixture of the top-level "submodule" command, and e.g. the "status" sub-command. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-10-07T00:00:04Z Taylor Blau me@ttaylorr.com 2022-10-07T00:00:04Z urn:sha1:f64d4ca8d65bdca39da444d24bde94864ac01bb1 Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-10-06T21:43:37Z Taylor Blau me@ttaylorr.com 2022-10-06T21:43:37Z urn:sha1:ac8a1db86793292dfc7055eeef2fe90459e771aa Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-10-06T21:42:02Z Taylor Blau me@ttaylorr.com 2022-10-06T21:42:02Z urn:sha1:3957f3c84e89c68e8bf3f7cb172ba6837af70506 Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-10-06T21:39:15Z Taylor Blau me@ttaylorr.com 2022-10-06T21:39:15Z urn:sha1:122512967e6184b1888a63ea2b6ed9ada3046b28 Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-10-01T04:23:38Z Taylor Blau me@ttaylorr.com 2022-07-29T19:21:40Z urn:sha1:0d3beb71dad7906f576b0de9cea32164549163fe To prepare for the default value of `protocol.file.allow` to change to "user", ensure tests that rely on local submodules can initialize them over the file protocol. Tests that only need to interact with submodules in a limited capacity have individual Git commands annotated with the appropriate configuration via `-c`. Tests that interact with submodules a handful of times use `test_config_global` instead. Test scripts that rely on submodules throughout use a `git config --global` during a setup test towards the beginning of the script. Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-09-02T16:16:23Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-08-31T23:17:46Z urn:sha1:31955475d1c283120d5d84247eb3fd55d9f5fdd9 Remove the "submodule--helper list" sub-command, which hasn't been used by git-submodule.sh since 2964d6e5e1e (submodule: port subcommand 'set-branch' from shell to C, 2020-06-02). There was a test added in 2b56bb7a87a (submodule helper list: respect correct path prefix, 2016-02-24) which relied on it, but the right thing to do here is to delete that test as well. That test was regression testing the "list" subcommand itself. We're not getting anything useful from the "list | cut -f2" invocation that we couldn't get from "foreach 'echo $sm_path'". Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Reviewed-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-09-02T16:16:22Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-08-31T23:17:44Z urn:sha1:59378e33553e1a7e00e315e61f4ae8d8550d49c0 Add a missing test for ""add <repository> <path>" where "<path>" is an absolute path. This tests code added in [1] and later turned into an "else" branch in clone_submodule() in [2] that's never been tested. This needs to be skipped on WINDOWS because all of $PWD, $(pwd) and the "$(pwd -P)" we get via "$submodurl" would fail in CI with e.g.: fatal: could not create directory 'D:/a/git/git/t/trash directory.t7400-submodule-basic/.git/modules/D:/a/git/git/t/trash directory.t7400-submodule-basic/add-abs' I.e. we can't handle these sorts of paths in this context on that platform. I'm not sure where we run into the edges of "$PWD" behavior on Windows (see [1] for a previous loose end on the topic), but for the purposes of this test it's sufficient that we test this on other platforms. 1. ee8838d1577 (submodule: rewrite `module_clone` shell function in C, 2015-09-08) 2. f8eaa0ba98b (submodule--helper, module_clone: always operate on absolute paths, 2016-03-31) 1. https://lore.kernel.org/git/220630.86edz6c75c.gmgdl@evledraar.gmail.com/ Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Reviewed-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-09-02T16:16:22Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-08-31T23:17:43Z urn:sha1:89bc7b5c0104bc7e98a3e2392598e90e6f49fcd4 Test what exit code and output we emit on "git submodule -h", how we handle "--" when no subcommand is specified, and how the top-level "--recursive" option is handled. For "-h" this doesn't make sense, but let's test for it so that any subsequent eventual behavior change will become clear. For "--" this follows up on 68cabbfda36 (submodule: document default behavior, 2019-02-15) and tests that "status" doesn't support the "--" delimiter. There's no intrinsically good reason not to support that. We behave this way due to edge cases in git-submodule.sh's implementation, but as with "-h" let's assert our current long-standing behavior for now. For "--recursive" the exclusion of it from the top-level appears to have been an omission in 15fc56a8536 (git submodule foreach: Add --recursive to recurse into nested submodules, 2009-08-19), there doesn't seem to be a reason not to support it alongside "--quiet" and "--cached", but let's likewise assert our existing behavior for now. I.e. as long as "status" is optional it would make sense to support all of its options when it's omitted, but we only do that with "--quiet" and "--cached", and curiously omit "--recursive". Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Reviewed-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>