diff options
| author | Will Chandler <wchandler@gitlab.com> | 2022-07-08 23:44:14 +0300 |
|---|---|---|
| committer | Will Chandler <wchandler@gitlab.com> | 2022-07-08 23:44:14 +0300 |
| commit | 8e3eafce11e3b48177872c28c58614226ae18602 (patch) | |
| tree | e11ae749703f405c2ecfafa30d4e6f4acc15df74 | |
| parent | 73230331f5019175ddf4d3a9d3838401b339dc91 (diff) | |
| parent | b4545ccd2dfbcc848497529c4175abc555f14f8d (diff) | |
Merge branch 'pks-testcfg-fix-safe-directory-workaround' into 'master'
testcfg: Fix workaround to build Go binaries in unowned directories
See merge request gitlab-org/gitaly!4694
| -rw-r--r-- | internal/testhelper/testcfg/build.go | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/internal/testhelper/testcfg/build.go b/internal/testhelper/testcfg/build.go index 6b5653931..b49b8f47b 100644 --- a/internal/testhelper/testcfg/build.go +++ b/internal/testhelper/testcfg/build.go @@ -127,12 +127,18 @@ func BuildBinary(t testing.TB, targetDir, sourcePath string) string { // does in theory make us vulnerable to this exploit, it is clear that any adversary // would already have arbitrary code execution because we are executing code right // now that would be controlled by the very same adversary. + // + // Note that we cannot pass `safe.directory` via command line arguments by design. + // Instead, we just override the system-level gitconfig to point to a temporary file + // that contains this setting. _, currentFile, _, ok := runtime.Caller(0) require.True(t, ok) + gitconfigPath := filepath.Join(testhelper.TempDir(t), "gitconfig") + require.NoError(t, os.WriteFile(gitconfigPath, []byte( + "[safe]\ndirectory = "+filepath.Join(filepath.Dir(currentFile), "..", "..", "..")+"\n"), 0o400), + ) gitEnvironment = append(gitEnvironment, - "GIT_CONFIG_COUNT=1", - "GIT_CONFIG_KEY_0=safe.directory", - "GIT_CONFIG_VALUE_0="+filepath.Join(filepath.Dir(currentFile), "..", "..", ".."), + "GIT_CONFIG_SYSTEM="+gitconfigPath, ) buildTags := []string{ |