diff options
author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-07-08 10:08:21 +0300 |
---|---|---|
committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-07-08 10:31:05 +0300 |
commit | b4545ccd2dfbcc848497529c4175abc555f14f8d (patch) | |
tree | c43a222a2a8c62a15f7ca07971d7ffe2ce8cc49c | |
parent | 88f78ed883808636f3ee02601ee37f944c82b07e (diff) |
testcfg: Fix workaround to build Go binaries in unowned directories
Go is embedding VCS information into Go binaries since Go 1.18, which it
derives from the repository by executing some Git commands. This doesn't
work though when the repository is not owned by the user building the
binaries due to CVE-2022-24765, where Git started to refuse operating in
any such repository it doesn't own.
We have tried to fix this in 61331af03 (testcfg: Fix building binaries
as unprivileged user with Go 1.18+, 2022-07-07) by setting `GIT_CONFIG_`
environment variables to inject the `safe.directory` config entry, which
can be used to override this safety mechanism. This doesn't work though,
as documented by git-config(1):
This config setting is only respected when specified in a system or
global config, not when it is specified in a repository config, via
the command line option -c safe.directory=<path>, or in environment
variables.
Work around this limitation by writing a temporary, system-level config
file that contains this key and setting `GIT_CONFIG_SYSTEM` to point to
that file.
-rw-r--r-- | internal/testhelper/testcfg/build.go | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/internal/testhelper/testcfg/build.go b/internal/testhelper/testcfg/build.go index 6b5653931..b49b8f47b 100644 --- a/internal/testhelper/testcfg/build.go +++ b/internal/testhelper/testcfg/build.go @@ -127,12 +127,18 @@ func BuildBinary(t testing.TB, targetDir, sourcePath string) string { // does in theory make us vulnerable to this exploit, it is clear that any adversary // would already have arbitrary code execution because we are executing code right // now that would be controlled by the very same adversary. + // + // Note that we cannot pass `safe.directory` via command line arguments by design. + // Instead, we just override the system-level gitconfig to point to a temporary file + // that contains this setting. _, currentFile, _, ok := runtime.Caller(0) require.True(t, ok) + gitconfigPath := filepath.Join(testhelper.TempDir(t), "gitconfig") + require.NoError(t, os.WriteFile(gitconfigPath, []byte( + "[safe]\ndirectory = "+filepath.Join(filepath.Dir(currentFile), "..", "..", "..")+"\n"), 0o400), + ) gitEnvironment = append(gitEnvironment, - "GIT_CONFIG_COUNT=1", - "GIT_CONFIG_KEY_0=safe.directory", - "GIT_CONFIG_VALUE_0="+filepath.Join(filepath.Dir(currentFile), "..", "..", ".."), + "GIT_CONFIG_SYSTEM="+gitconfigPath, ) buildTags := []string{ |