repo: ensure that repo dir is owned by current user

Ensure that the repository directory is owned by the current user; this prevents us from opening configuration files that may have been created by an attacker.

repo: ensure that repo dir is owned by current user
Ensure that the repository directory is owned by the current user; this prevents us from opening configuration files that may have been created by an attacker.
62d492de · Edward Thomson · 973d959a · 62d492de · 62d492de
Commit 62d492de authored Apr 11, 2022 by Edward Thomson
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 3 deletions

include/git2/errors.h
+1 -0

src/repository.c
+28 -3

No files found.
--- a/include/git2/errors.h
+++ b/include/git2/errors.h
@@ -58,6 +58,7 @@ typedef enum {
 	GIT_EMISMATCH       = -33,	/**< Hashsum mismatch in object */
 	GIT_EINDEXDIRTY     = -34,	/**< Unsaved changes in the index would be overwritten */
 	GIT_EAPPLYFAIL      = -35,	/**< Patch application failed */
+	GIT_EOWNER          = -36	/**< The object is not owned by the current user */
 } git_error_code;

 /**

--- a/src/repository.c
+++ b/src/repository.c
@@ -482,6 +482,23 @@ static int read_gitfile(git_buf *path_out, const char *file_path)
 	return error;
 }

+static int validate_ownership(const char *repo_path)
+{
+	bool is_safe;
+	int error;
+
+	if ((error = git_path_owner_is_current_user(&is_safe, repo_path)) < 0)
+		return (error == GIT_ENOTFOUND) ? 0 : error;
+
+	if (is_safe)
+		return 0;
+
+	git_error_set(GIT_ERROR_CONFIG,
+		"repository path '%s' is not owned by current user",
+		repo_path);
+	return GIT_EOWNER;
+}
+
 static int find_repo(
 	git_buf *gitdir_path,
 	git_buf *workdir_path,
@@ -855,6 +872,7 @@ int git_repository_open_ext(
 		gitlink = GIT_BUF_INIT, commondir = GIT_BUF_INIT;
 	git_repository *repo = NULL;
 	git_config *config = NULL;
+	const char *validation_path;
 	int version = 0;

 	if (flags & GIT_REPOSITORY_OPEN_FROM_ENV)
@@ -903,16 +921,23 @@ int git_repository_open_ext(
 	if ((error = check_extensions(config, version)) < 0)
 		goto cleanup;

-	if ((flags & GIT_REPOSITORY_OPEN_BARE) != 0)
+	if ((flags & GIT_REPOSITORY_OPEN_BARE) != 0) {
 		repo->is_bare = 1;
-	else {
-
+	} else {
 		if (config &&
 		    ((error = load_config_data(repo, config)) < 0 ||
 		     (error = load_workdir(repo, config, &workdir)) < 0))
 			goto cleanup;
 	}

+	/*
+	 * Ensure that the git directory is owned by the current user.
+	 */
+	validation_path = repo->is_bare ? repo->gitdir : repo->workdir;
+
+	if ((error = validate_ownership(validation_path)) < 0)
+		goto cleanup;
+
 cleanup:
 	git_buf_dispose(&gitdir);
 	git_buf_dispose(&workdir);