diff options
author | James Fargher <proglottis@gmail.com> | 2022-07-08 02:40:00 +0300 |
---|---|---|
committer | James Fargher <proglottis@gmail.com> | 2022-07-08 02:40:00 +0300 |
commit | 88f78ed883808636f3ee02601ee37f944c82b07e (patch) | |
tree | f74ad6420e7844ada9268fd4f9b6f28f8342da96 | |
parent | 9aac5e46400ec5b04b43c2290b2a76c7965c2e3b (diff) | |
parent | 61331af03c7f6c0cf075b4766858839299b8b470 (diff) |
Merge branch 'pks-ci-fix-unprivileged-building-of-binaries-go-1.18' into 'master'
testcfg: Fix building binaries as unprivileged user with Go 1.18+
See merge request gitlab-org/gitaly!4689
-rw-r--r-- | .gitlab-ci.yml | 2 | ||||
-rw-r--r-- | internal/testhelper/testcfg/build.go | 19 |
2 files changed, 21 insertions, 0 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 340777a2a..151cc3cff 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -245,6 +245,8 @@ test:nightly: TEST_TARGET: [ test, test-with-proxies, test-with-praefect ] rules: - if: '$CI_PIPELINE_SOURCE == "schedule"' + - when: manual + allow_failure: true test:praefect_smoke: <<: *test_definition diff --git a/internal/testhelper/testcfg/build.go b/internal/testhelper/testcfg/build.go index f4e6be180..6b5653931 100644 --- a/internal/testhelper/testcfg/build.go +++ b/internal/testhelper/testcfg/build.go @@ -6,6 +6,7 @@ import ( "os" "os/exec" "path/filepath" + "runtime" "strings" "sync" "testing" @@ -116,6 +117,24 @@ func BuildBinary(t testing.TB, targetDir, sourcePath string) string { "PATH=%s:%s", filepath.Dir(gitExecEnv.BinaryPath), os.Getenv("PATH"), )) + // Go 1.18 has started to extract VCS information so that it can be embedded into + // the resulting binary and will thus execute Git in the Gitaly repository. In CI, + // the Gitaly repository is owned by a different user than the one that is executing + // tests though, which means that Git will refuse to open the repository because of + // CVE-2022-24765. + // + // Let's override this mechanism by labelling the Git repository as safe. While this + // does in theory make us vulnerable to this exploit, it is clear that any adversary + // would already have arbitrary code execution because we are executing code right + // now that would be controlled by the very same adversary. + _, currentFile, _, ok := runtime.Caller(0) + require.True(t, ok) + gitEnvironment = append(gitEnvironment, + "GIT_CONFIG_COUNT=1", + "GIT_CONFIG_KEY_0=safe.directory", + "GIT_CONFIG_VALUE_0="+filepath.Join(filepath.Dir(currentFile), "..", "..", ".."), + ) + buildTags := []string{ "static", "system_libgit2", "gitaly_test", } |