Fix git-init for Git 2.35.2 #4756
Conversation
https://github.blog/2022-04-12-git-security-vulnerability-announced/ was announced and then fixed in Git 2.35.2. This ends up creating issues like actions/checkout#760, where the directory the git repo lives isn't owned by the same user performing the git operations. This does appear to be affecting us - see https://tekton-releases.appspot.com/build/tekton-prow/pr-logs/pull/tektoncd_pipeline/4750/pull-tekton-pipeline-integration-tests/1514143139193950210/ for example, which has the telltale error message of `fatal: unsafe repository ('/workspace/go/src/github.com/GoogleContainerTools/skaffold' is owned by someone else)`. This is an attempt to fix that by having `git-init` call `git config --global --add safe.directory [repo dir]` before fetching, etc. Signed-off-by: Andrew Bayer <[email protected]>
tekton-robot
added
release-note
tekton-robot
added
the
size/S
| if _, err := run(logger, "", "init"); err != nil { | ||
| return err | ||
| } | ||
| if _, err := run(logger, "", "config", "--add", "--global", "safe.directory", "/"); err != nil { |
There was a problem hiding this comment.
When spec.Path is empty, I'm not sure exactly what we should be adding as a safe.directory here instead. I'm guessing that it's the root directory, but I could very well be wrong.
There was a problem hiding this comment.
/ sounds safe to me. AIUI, the CVE specifically impacts shared environments, where one user can create e.g., /.git and trick subdirectory git checkouts to using the root-level git config. Tekton doesn't have that problem (or else you're using Tekton very weirdly, and you get what you get!)
I think if this causes any problems we could just uniformly configure / as a safe directory. But being conservative sounds smart until then.
There was a problem hiding this comment.
Yeah, I saw no reason not to just go as broad as we have to - my uncertainty is whether / is actually where we're running git init from when we don't have spec.Path.
|
The following is the coverage report on the affected files.
|
|
/test pull-tekton-pipeline-build-tests |
|
/test pull-tekton-pipeline-integration-tests |
|
I think this works - the alpha integration tests passed (build and integration jobs never properly launched, so I'm re-running them), but they fail consistently on other PRs, like #4750's https://tekton-releases.appspot.com/build/tekton-prow/pr-logs/pull/tektoncd_pipeline/4750/pull-tekton-pipeline-alpha-integration-tests/1514243048417005569/ |
|
And fwiw, I'm more than a little confused as to how |
|
Just as a datapoint (context #4752): Was this introduced in |
|
I misread the title, I see fixed in I'll talk to Ariadne about where that is in Alpine edge. |
|
@mattmoor Huh, looks like git/git@8959555 has actually been in for a while, but didn't behave the same way until 2.35.2, I guess? Weird in general for sure, but hey. EDIT: Ah, interesting - it looks like that commit is in fact in 2.32.1, not just 2.35.2. This makes more sense now. EDIT AGAIN: It looks like Alpine 3.14, 3.15, and Edge all have git package versions with the fix in, fwiw. |
|
/retest Quota flakiness on pipeline-integration-tests this time. |
|
It’s already in edge, I’ll rebuild and check the version again before attempting the switch 👍 I think it’s just bad timing with our nightly cron |
|
/retest
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
Changes
https://github.blog/2022-04-12-git-security-vulnerability-announced/ was announced
and then fixed in Git 2.35.2. This ends up creating issues like actions/checkout#760,
where the directory the git repo lives isn't owned by the same user performing the
git operations. This does appear to be affecting us - see https://tekton-releases.appspot.com/build/tekton-prow/pr-logs/pull/tektoncd_pipeline/4750/pull-tekton-pipeline-integration-tests/1514143139193950210/
for example, which has the telltale error message of
fatal: unsafe repository ('/workspace/go/src/github.com/GoogleContainerTools/skaffold' is owned by someone else).This is an attempt to fix that by having
git-initcallgit config --global --add safe.directory [repo dir]before fetching, etc.
/kind bug
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
(if there are no user facing changes, use release note "NONE")
Release Notes