Skip to content

Commit 62d492d

Browse files
ethomsonethomson
committed
repo: ensure that repo dir is owned by current user
Ensure that the repository directory is owned by the current user; this prevents us from opening configuration files that may have been created by an attacker.
1 parent 973d959 commit 62d492d

File tree

2 files changed

+29
-3
lines changed

2 files changed

+29
-3
lines changed

include/git2/errors.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ typedef enum {
5858
GIT_EMISMATCH = -33, /**< Hashsum mismatch in object */
5959
GIT_EINDEXDIRTY = -34, /**< Unsaved changes in the index would be overwritten */
6060
GIT_EAPPLYFAIL = -35, /**< Patch application failed */
61+
GIT_EOWNER = -36 /**< The object is not owned by the current user */
6162
} git_error_code;
6263

6364
/**

src/repository.c

Lines changed: 28 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -482,6 +482,23 @@ static int read_gitfile(git_buf *path_out, const char *file_path)
482482
return error;
483483
}
484484

485+
static int validate_ownership(const char *repo_path)
486+
{
487+
bool is_safe;
488+
int error;
489+
490+
if ((error = git_path_owner_is_current_user(&is_safe, repo_path)) < 0)
491+
return (error == GIT_ENOTFOUND) ? 0 : error;
492+
493+
if (is_safe)
494+
return 0;
495+
496+
git_error_set(GIT_ERROR_CONFIG,
497+
"repository path '%s' is not owned by current user",
498+
repo_path);
499+
return GIT_EOWNER;
500+
}
501+
485502
static int find_repo(
486503
git_buf *gitdir_path,
487504
git_buf *workdir_path,
@@ -855,6 +872,7 @@ int git_repository_open_ext(
855872
gitlink = GIT_BUF_INIT, commondir = GIT_BUF_INIT;
856873
git_repository *repo = NULL;
857874
git_config *config = NULL;
875+
const char *validation_path;
858876
int version = 0;
859877

860878
if (flags & GIT_REPOSITORY_OPEN_FROM_ENV)
@@ -903,16 +921,23 @@ int git_repository_open_ext(
903921
if ((error = check_extensions(config, version)) < 0)
904922
goto cleanup;
905923

906-
if ((flags & GIT_REPOSITORY_OPEN_BARE) != 0)
924+
if ((flags & GIT_REPOSITORY_OPEN_BARE) != 0) {
907925
repo->is_bare = 1;
908-
else {
909-
926+
} else {
910927
if (config &&
911928
((error = load_config_data(repo, config)) < 0 ||
912929
(error = load_workdir(repo, config, &workdir)) < 0))
913930
goto cleanup;
914931
}
915932

933+
/*
934+
* Ensure that the git directory is owned by the current user.
935+
*/
936+
validation_path = repo->is_bare ? repo->gitdir : repo->workdir;
937+
938+
if ((error = validate_ownership(validation_path)) < 0)
939+
goto cleanup;
940+
916941
cleanup:
917942
git_buf_dispose(&gitdir);
918943
git_buf_dispose(&workdir);

0 commit comments

Comments
 (0)