Merge branch 'po-safecmd-commandwithoutrepo' into 'master'

Replace CommandWithoutRepo usage with safe version See merge request gitlab-org/gitaly!1783
author: Pavlo Strokov <pstrokov@gitlab.com> 2020-01-24 17:11:16 +0300
committer: Pavlo Strokov <pstrokov@gitlab.com> 2020-01-24 17:11:16 +0300
commit: 4c9725a928a76a8a6ece8c5203513f84a5349e00 (patch)
tree: 53fd58969163057d3fc1d2b90f43ef7e45ed1bf7
parent: 84c42ffbeb0fc1e2cfe73997f7681b366daa6b11 (diff)
parent: e56612ece27e5b98007ba05351c73aa0a4b36708 (diff)
6 files changed, 66 insertions, 23 deletions
diff --git a/changelogs/unreleased/po-safecmd-commandwithoutrepo.yml b/changelogs/unreleased/po-safecmd-commandwithoutrepo.yml
new file mode 100644
index 000000000..eb6479124
--- /dev/null
+++ b/changelogs/unreleased/po-safecmd-commandwithoutrepo.yml
@@ -0,0 +1,5 @@
+---
+title: Replace CommandWithoutRepo usage with safe version
+merge_request: 1783
+author:
+type: security
diff --git a/internal/git/objectpool/clone.go b/internal/git/objectpool/clone.go
index f7359e636..45ab2af81 100644
--- a/internal/git/objectpool/clone.go
+++ b/internal/git/objectpool/clone.go
@@ -24,8 +24,23 @@ func (o *ObjectPool) clone(ctx context.Context, repo *gitalypb.Repository) error
 		return err
 	}
 
-	cloneArgs := []string{"-C", path.Dir(targetDir), "clone", "--quiet", "--bare", "--local", repoPath, targetName}
-	cmd, err := git.CommandWithoutRepo(ctx, cloneArgs...)
+	cmd, err := git.SafeCmdWithoutRepo(ctx,
+		[]git.Option{
+			git.ValueFlag{
+				Name:  "-C",
+				Value: path.Dir(targetDir),
+			},
+		},
+		git.SubCmd{
+			Name: "clone",
+			Flags: []git.Option{
+				git.Flag{Name: "--quiet"},
+				git.Flag{Name: "--bare"},
+				git.Flag{Name: "--local"},
+			},
+			Args: []string{repoPath, targetName},
+		},
+	)
 	if err != nil {
 		return err
 	}
diff --git a/internal/git/objectpool/pool.go b/internal/git/objectpool/pool.go
index 5674421ab..ca4628d1b 100644
--- a/internal/git/objectpool/pool.go
+++ b/internal/git/objectpool/pool.go
@@ -108,8 +108,15 @@ func (o *ObjectPool) Init(ctx context.Context) (err error) {
 		return nil
 	}
 
-	initArgs := []string{"init", "--bare", targetDir}
-	cmd, err := git.CommandWithoutRepo(ctx, initArgs...)
+	cmd, err := git.SafeCmdWithoutRepo(ctx, nil,
+		git.SubCmd{
+			Name: "init",
+			Flags: []git.Option{
+				git.Flag{Name: "--bare"},
+			},
+			Args: []string{targetDir},
+		},
+	)
 	if err != nil {
 		return err
 	}
diff --git a/internal/service/remote/remotes.go b/internal/service/remote/remotes.go
index e4a0893e2..7e18fda41 100644
--- a/internal/service/remote/remotes.go
+++ b/internal/service/remote/remotes.go
@@ -73,7 +73,15 @@ func (s *server) FindRemoteRepository(ctx context.Context, req *gitalypb.FindRem
 		return nil, status.Error(codes.InvalidArgument, "FindRemoteRepository: empty remote can't be checked.")
 	}
 
-	cmd, err := git.CommandWithoutRepo(ctx, "ls-remote", req.GetRemote(), "HEAD")
+	cmd, err := git.SafeCmdWithoutRepo(ctx, nil,
+		git.SubCmd{
+			Name: "ls-remote",
+			Args: []string{
+				req.GetRemote(),
+				"HEAD",
+			},
+		},
+	)
 
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "error executing git command: %s", err)
diff --git a/internal/service/repository/create.go b/internal/service/repository/create.go
index bfbbb6864..241a26e05 100644
--- a/internal/service/repository/create.go
+++ b/internal/service/repository/create.go
@@ -19,7 +19,16 @@ func (s *server) CreateRepository(ctx context.Context, req *gitalypb.CreateRepos
 		return nil, helper.ErrInternal(err)
 	}
 
-	cmd, err := git.CommandWithoutRepo(ctx, "init", "--bare", "--quiet", diskPath)
+	cmd, err := git.SafeCmdWithoutRepo(ctx, nil,
+		git.SubCmd{
+			Name: "init",
+			Flags: []git.Option{
+				git.Flag{Name: "--bare"},
+				git.Flag{Name: "--quiet"},
+			},
+			Args: []string{diskPath},
+		},
+	)
 	if err != nil {
 		return nil, helper.ErrInternal(err)
 	}
diff --git a/internal/service/repository/create_from_bundle.go b/internal/service/repository/create_from_bundle.go
index 045132048..07f9da60a 100644
--- a/internal/service/repository/create_from_bundle.go
+++ b/internal/service/repository/create_from_bundle.go
@@ -64,14 +64,15 @@ func (s *server) CreateRepositoryFromBundle(stream gitalypb.RepositoryService_Cr
 		return err
 	}
 
-	args := []string{
-		"clone",
-		"--bare",
-		"--",
-		bundlePath,
-		repoPath,
-	}
-	cmd, err := git.CommandWithoutRepo(ctx, args...)
+	cmd, err := git.SafeCmdWithoutRepo(ctx, nil,
+		git.SubCmd{
+			Name: "clone",
+			Flags: []git.Option{
+				git.Flag{Name: "--bare"},
+			},
+			PostSepArgs: []string{bundlePath, repoPath},
+		},
+	)
 	if err != nil {
 		cleanError := sanitizedError(repoPath, "CreateRepositoryFromBundle: cmd start failed: %v", err)
 		return status.Error(codes.Internal, cleanError)
@@ -82,15 +83,13 @@ func (s *server) CreateRepositoryFromBundle(stream gitalypb.RepositoryService_Cr
 	}
 
 	// We do a fetch to get all refs including keep-around refs
-	args = []string{
-		"-C",
-		repoPath,
-		"fetch",
-		bundlePath,
-		"refs/*:refs/*",
-	}
-
-	cmd, err = git.CommandWithoutRepo(ctx, args...)
+	cmd, err = git.SafeCmdWithoutRepo(ctx,
+		[]git.Option{git.ValueFlag{Name: "-C", Value: repoPath}},
+		git.SubCmd{
+			Name: "fetch",
+			Args: []string{bundlePath, "refs/*:refs/*"},
+		},
+	)
 	if err != nil {
 		cleanError := sanitizedError(repoPath, "CreateRepositoryFromBundle: cmd start failed fetching refs: %v", err)
 		return status.Error(codes.Internal, cleanError)
author	Pavlo Strokov <pstrokov@gitlab.com>	2020-01-24 17:11:16 +0300
committer	Pavlo Strokov <pstrokov@gitlab.com>	2020-01-24 17:11:16 +0300
commit	4c9725a928a76a8a6ece8c5203513f84a5349e00 (patch)
tree	53fd58969163057d3fc1d2b90f43ef7e45ed1bf7
parent	84c42ffbeb0fc1e2cfe73997f7681b366daa6b11 (diff)
parent	e56612ece27e5b98007ba05351c73aa0a4b36708 (diff)