diff options
| author | Jeff King <peff@peff.net> | 2021-02-16 09:44:32 -0500 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2021-02-16 09:41:33 -0800 |
| commit | 2ef579e261fcd85a4eb6e0ce98ee4a01625fc210 (patch) | |
| tree | c9309bb2a6590875cdd87c223cc081e5d5ad8e2e /t/t0003-attributes.sh | |
| parent | 1679d60bfc4c5c38f30fc938cf006b1e8608f733 (diff) | |
| download | git-2ef579e261fcd85a4eb6e0ce98ee4a01625fc210.tar.gz | |
attr: do not respect symlinks for in-tree .gitattributes
The attributes system may sometimes read in-tree files from the
filesystem, and sometimes from the index. In the latter case, we do not
resolve symbolic links (and are not likely to ever start doing so).
Let's open filesystem links with O_NOFOLLOW so that the two cases behave
consistently.
As a bonus, this means that git will not follow such symlinks to read
and parse out-of-tree paths. In some cases this could have security
implications, as a malicious repository can cause Git to open and read
arbitrary files. It could already feed arbitrary content to the parser,
but in certain setups it might be able to exfiltrate data from those
paths (e.g., if an automated service operating on the malicious repo
reveals its stderr to an attacker).
Note that O_NOFOLLOW only prevents following links for the path itself,
not intermediate directories in the path. At first glance, it seems
like
ln -s /some/path in-repo
might still look at "in-repo/.gitattributes", following the symlink to
"/some/path/.gitattributes". However, if "in-repo" is a symbolic link,
then we know that it has no git paths below it, and will never look at
its .gitattributes file.
We will continue to support out-of-tree symbolic links (e.g., in
$GIT_DIR/info/attributes); this just affects in-tree links. When a
symbolic link is encountered, the contents are ignored and a warning is
printed. POSIX specifies ELOOP in this case, so the user would generally
see something like:
warning: unable to access '.gitattributes': Too many levels of symbolic links
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 't/t0003-attributes.sh')
| -rwxr-xr-x | t/t0003-attributes.sh | 36 |
1 files changed, 33 insertions, 3 deletions
diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh index b660593c20..1e4c672b84 100755 --- a/t/t0003-attributes.sh +++ b/t/t0003-attributes.sh @@ -4,12 +4,16 @@ test_description=gitattributes . ./test-lib.sh -attr_check () { +attr_check_basic () { path="$1" expect="$2" git_opts="$3" && git $git_opts check-attr test -- "$path" >actual 2>err && echo "$path: test: $expect" >expect && - test_cmp expect actual && + test_cmp expect actual +} + +attr_check () { + attr_check_basic "$@" && test_must_be_empty err } @@ -331,7 +335,6 @@ test_expect_success 'binary macro expanded by -a' ' test_cmp expect actual ' - test_expect_success 'query binary macro directly' ' echo "file binary" >.gitattributes && echo file: binary: set >expect && @@ -339,4 +342,31 @@ test_expect_success 'query binary macro directly' ' test_cmp expect actual ' +test_expect_success SYMLINKS 'set up symlink tests' ' + echo "* test" >attr && + rm -f .gitattributes +' + +test_expect_success SYMLINKS 'symlinks respected in core.attributesFile' ' + test_when_finished "rm symlink" && + ln -s attr symlink && + test_config core.attributesFile "$(pwd)/symlink" && + attr_check file set +' + +test_expect_success SYMLINKS 'symlinks respected in info/attributes' ' + test_when_finished "rm .git/info/attributes" && + ln -s ../../attr .git/info/attributes && + attr_check file set +' + +test_expect_success SYMLINKS 'symlinks not respected in-tree' ' + test_when_finished "rm -rf .gitattributes subdir" && + ln -s attr .gitattributes && + mkdir subdir && + ln -s ../attr subdir/.gitattributes && + attr_check_basic subdir/file unspecified && + test_i18ngrep "unable to access.*gitattributes" err +' + test_done |