libgit2: Sanitize execution environment to not read gitconfigs

libgit2 is by default reading Git configuration files from their
standard locations. This is nothing we want though: the configuration
should either be explicitly set by us, or not at all.

Fix this by explicitly overriding the gitconfig locations in both Git2go
and Rugged. There is only a single Git configuration that we care about,
which is `core.fsyncObjectfiles`: it must always be set to `true` or we
may cause repository corruption. We already do enable it in Git2go via
`git.EnableFsyncGitDir(true)`, and in Rugged we inject a configuration
that contains this key. So ultimately, this change shouldn't change the
behaviour of libgit2 in any way.

2 files changed, 12 insertions, 0 deletions

diff --git a/cmd/gitaly-git2go-v15/main.go b/cmd/gitaly-git2go-v15/main.go
index dc3516af2..e4a51354e 100644
--- a/cmd/gitaly-git2go-v15/main.go
+++ b/cmd/gitaly-git2go-v15/main.go
@@ -102,6 +102,16 @@ func main() {
 		fatalf(logger, encoder, "enable fsync: %s", err)
 	}
 
+	for _, configLevel := range []git.ConfigLevel{
+		git.ConfigLevelSystem,
+		git.ConfigLevelXDG,
+		git.ConfigLevelGlobal,
+	} {
+		if err := git.SetSearchPath(configLevel, "/dev/null"); err != nil {
+			fatalf(logger, encoder, "setting search path: %s", err)
+		}
+	}
+
 	subcmdLogger := logger.WithField("command.subcommand", subcmdFlags.Name())
 	subcmdLogger.Infof("starting %s command", subcmdFlags.Name())
 
diff --git a/ruby/bin/gitaly-ruby b/ruby/bin/gitaly-ruby
index d37352945..c0f17b1e5 100755
--- a/ruby/bin/gitaly-ruby
+++ b/ruby/bin/gitaly-ruby
@@ -73,6 +73,8 @@ def set_rugged_search_path
   return unless search_path
 
   Rugged::Settings['search_path_system'] = search_path
+  Rugged::Settings['search_path_global'] = '/dev/null'
+  Rugged::Settings['search_path_xdg'] = '/dev/null'
 end
 
 def load_distributed_tracing