Commit Graph

4905 Commits

Author SHA1 Message Date
Frantisek Hrbata
99f9dd4c07 feat(docker): allow to add paths into git's safe.directory
With 8959555cee7e[1] ("setup_git_directory(): add an owner check for the top..")
git added an ownership check of the git directory and refuses to
run any git commands, even parsing the config file, if the git directory
is not owned by the current user. The "fatal: detected dubious ownership in repository"
is reported.

This fixes CVE-2022-24765[2], which allows to compromise user account. On a
multi-user system or e.g. on a shared file system, one user may create a "rogue"
git repository with e.g. core.fsmonitor set to an arbitrary command. Other user
may unwillingly execute this command by running e.g. git-diff or
git-status within the "rogue" git repository, which may be in one of the parent
directories. If e.g. PS1 is set to display information about a git
repository in CWD, as suggested in Git in Bash[3], the user do not need to run
any git command to trigger this, just entering some subdirectory under
this "rogue" git repository is enough, because the git command will be
started transparently through the script used in PS1. The core.fsmonitor
can be set to arbitrary command. It's purpose is to help git to identify changed files
and speed up the scanning for changed files.

rogue
├── .git     # owned by user1
└── dir1     # owned by user2
    ├── dir2 # owned by user2
    └── .git # owned by user2

user1 sets core.fsmonitor for git repository in rogue directory
$ git config --add core.fsmonitor "bash -c 'rm -rf \$HOME'"

user2 enters dir1 and runs e.g. git diff and triggers the core.fsmonitor command.

The ownership check may cause problems when running git commands in
ESP-IDF Docker container. For example user may run the container as
root, but the mounted project may be owned by a particular user.

In this case git will refuse to execute any git command within the
"/project" directory, because it's not owned by root. To overcome this,
git allows to set safe.directories, for which the ownership check is
skipped. The security check may be completely disabled by setting
safe.directories to "*". This solution was proposed in PR 12636[4], but
it would allow make it possible to exploit this vulnerability again.

This fix allows user to specify git's safe.directory in IDF_GIT_SAFE_DIR
environmental variable, which may be set during container startup.

The IDF_GIT_SAFE_DIR has same format as PATH and multiple directories can be
specified by using a ":" separator. To entirely disable this git security check
within the container, user may set IDF_GIT_SAFE_DIR='*'. This might be
heplfull in CI.

Closes https://github.com/espressif/esp-idf/pull/12636

[1] - 8959555cee
[2] - https://nvd.nist.gov/vuln/detail/cve-2022-24765
[3] - https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash
[4] - https://github.com/espressif/esp-idf/pull/12636

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-12-01 08:23:16 +01:00
Ivan Grokhotkov
be057f26dc
ci(system): re-enable build test app for C2 and C6, clean up configs
Since we can use CONFIG_NAME now to specify build rules, we don't need
to have target-specific config files.
2023-11-28 18:09:06 +01:00
Fu Hanxi
3875e26b3b Merge branch 'test/idf-build-apps-1.0.0_v5.1' into 'release/v5.1'
CI: make master pipeline compatible with idf-build-apps 1.0.0 release (v5.1)

See merge request espressif/esp-idf!26247
2023-11-28 14:59:39 +08:00
Jiang Jiang Jian
3ba577165c Merge branch 'bugfix/esp32s3_usb_otg_console_v5.1' into 'release/v5.1'
system: support USB_OTG CDC console on ESP32-S3 (v5.1)

See merge request espressif/esp-idf!24337
2023-11-24 10:19:02 +08:00
Ivan Grokhotkov
6481b0161c
ci: add build test for CONFIG_ESP_CONSOLE_USB_CDC_SUPPORT_ETS_PRINTF 2023-11-21 17:33:30 +01:00
Ivan Grokhotkov
22dd730a7c
esp_rom: convert USB related headers to SPDX, update COPYRIGHTS.rst 2023-11-21 17:33:30 +01:00
Ivan Grokhotkov
c7b409aa94
esp_rom: sync changes for ESP32-S3 USB related files, minor fix for S2
Used esp-rom tag esp32s3-20210327 and did manual cleanup.
Rename s_usb_osglue to rom_usb_osglue like it was done for esp32s2.
Some comments in esp32s2 headers are synced from esp32s3.
2023-11-21 17:33:29 +01:00
Frantisek Hrbata
4c3beef656 feat(ci): add test for custom cmake CMAKE_EXECUTABLE_SUFFIX
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-11-20 11:03:28 +01:00
Roland Dobai
6edb9982fd Merge branch 'coredump-info-offset_v5.1' into 'release/v5.1'
Tools: coredump-info - fix non-default partition table offset issues (v5.1)

See merge request espressif/esp-idf!26802
2023-11-16 18:56:55 +08:00
Roland Dobai
36cb0b29b2 Merge branch 'bugfix/docker_safe_repo_v5.1' into 'release/v5.1'
fix(docker): set esp-idf repo as safe directory (v5.1)

See merge request espressif/esp-idf!26804
2023-11-16 18:55:32 +08:00
Roland Dobai
53aaf3462f Merge branch 'feature/add_qemu_to_tools-json_v5.1' into 'release/v5.1'
Add QEMU to tools.json (v5.1)

See merge request espressif/esp-idf!26407
2023-11-16 18:54:46 +08:00
Ivan Grokhotkov
684a0936df Merge branch 'contrib/github_pr_12052_v5.1' into 'release/v5.1'
Two small patches for build system and fatfs (GitHub PR) (v5.1)

See merge request espressif/esp-idf!26431
2023-11-14 17:16:43 +08:00
Roland Dobai
305e781d0c Merge branch 'fix/ci_autocomplete_v5.1' into 'release/v5.1'
Tools, CI: Improve autocomplete tests (v5.1)

See merge request espressif/esp-idf!27037
2023-11-14 02:44:10 +08:00
Erhan Kurubas
14241aeb2e fix(coredump-info): set default gdb timeout as 3 seconds 2023-11-13 15:34:52 +01:00
Jiang Jiang Jian
3515fb4eaa Merge branch 'feat/dynamic_integration_pipeline_v5.1' into 'release/v5.1'
CI: dynamic integration pipeline v5.1

See merge request espressif/esp-idf!26654
2023-11-13 19:41:31 +08:00
Aditya Patwardhan
482a8fb2d7
change(version): Update version to 5.1.2 2023-11-10 07:51:59 +05:30
Roland Dobai
d3b403ff90 ci(fix): Improve the stability of the autocomplete tests 2023-11-09 14:09:47 +01:00
Chen Yudong
537bea27f5 ci: dynamic integration test child pipeline 2023-11-03 20:48:33 +08:00
Frantisek Hrbata
6f256958d1 fix(tools/docker): set esp-idf repo as safe directory
In our docker docs[1] we recommend to start docker as a non-root user. This has
a side effect, because the esp-idf repo in docker image is owned by
root. Git by default refuses even to parse a config file if the repo is
owned by other than current user. As a result the version detection in
cmake fails[2] and the app version is set to "HEAD-HASH-NOTFOUND".
This adds esp-idf repo to the system git config as a safe one.

[1] https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/
    tools/idf-docker-image.html#building-a-project-with-cmake
[2] https://github.com/espressif/esp-idf/issues/12389#issuecomment-1764268773

Closes https://github.com/espressif/esp-idf/issues/12389

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-10-31 16:24:10 +01:00
Peter Dragun
5fe418e733 fix(tools/coredump-info): pass non-default partition table offset to esp-coredump
Closes https://github.com/espressif/esp-idf/issues/11564
2023-10-31 15:57:47 +01:00
Alexey Gerenkov
476ae752eb feat(tools): Update OpenOCD version to v0.12.0-esp32-20230921 2023-10-18 10:57:05 +02:00
Michal Jenikovsky
31b4b0a8d4 idf.py: gdb action incorrectly generated EOL gdbinit scripts
GDB on Windows incorrectly reads EOL in the script files causing 'gdb'
action to fail.

(gdb) source .../build/gdbinit/py_extensions
(gdb) source .../build\gdbinit\symbols
add symbol table from file "...\build\bootloader\bootloader.elf"
.../build\gdbinit\symbols:6: Error in sourced command file:
Undefined command: "".  Try "help".

Forcing line separator to '\n' resolved the issue

Signed-off-by: Michal Jenikovsky <jendo@jmsystems.sk>
2023-10-12 04:48:47 +02:00
Anton Maklakov
be79c75b64 feat(tools): Add QEMU 8.0.0_20230522 to tools.json
Process wildcards in the install and download lists of idf_tools
    Fix the install and download handlers to get common behaviour
2023-10-11 12:28:47 +07:00
Fu Hanxi
be8339215a
ci: fix breaking change in idf-build-apps 1.0.0 2023-09-29 09:24:23 +02:00
Jiang Jiang Jian
0d2a52491b Merge branch 'bugfix/check_mapping_target_conflict_v5.1' into 'release/v5.1'
fix(ldgen): check target conflict for entries with section aliases (v5.1)

See merge request espressif/esp-idf!26123
2023-09-26 13:56:27 +08:00
Jiang Jiang Jian
face850973 Merge branch 'feature/rename_wpa2_ent_to_eap_client_v5.1' into 'release/v5.1'
WiFi: Rename WPA2 enterprise APIs to EAP Client. (v5.1)

See merge request espressif/esp-idf!26082
2023-09-26 13:30:52 +08:00
You Wei
5d8433ec56 fix(ldgen): duplicate entries in the generated .ld file 2023-09-21 19:38:49 +08:00
You Wei
de93968670 fix(ldgen): check target conflict for entries with section alias 2023-09-21 19:38:49 +08:00
Jiang Jiang Jian
941811a0b5 Merge branch 'feature/docker_image_update_qemu8.0.0_v5.1' into 'release/v5.1'
tools: Docker: update QEMU to 8.0.0 version, with xtensa and riscv32 chip support (v5.1)

See merge request espressif/esp-idf!26009
2023-09-21 10:11:22 +08:00
Jiang Jiang Jian
19d710dd61 Merge branch 'gdb_panic_server_remove_v5.1' into 'release/v5.1'
fix(tools): remove unused gdp_panic_server; replace with new esp-idf-panic-decoder package (v5.1)

See merge request espressif/esp-idf!25878
2023-09-21 10:09:07 +08:00
Kapil Gupta
d490e99f74 change(example): Update wifi enterprise example 2023-09-20 17:06:59 +05:30
Peter Dragun
732dbe8556 feat(tools/monitor): move target tests to monitor repo 2023-09-20 09:23:42 +02:00
wuzhenghui
a96f2c7674 fix(esp_system): suppress compiler warning if ESP_SYSTEM_PANIC_SILENT_REBOOT is enabled 2023-09-19 10:37:23 +08:00
Anton Maklakov
8cdc795435 feat(tools/docker): update QEMU to 8.0.0 version, with xtensa and riscv32 chip support 2023-09-18 13:02:36 +07:00
Jiang Jiang Jian
8ce86c32d0 Merge branch 'bugfix/fix_some_wifi_bugs_230913_v5.1' into 'release/v5.1'
fix(wifi): fix some wifi bugs 20230913(Backport v5.1)

See merge request espressif/esp-idf!25960
2023-09-18 12:09:31 +08:00
Roland Dobai
1fa048191a Merge branch 'bugfix/failed_module_import_v5.1' into 'release/v5.1'
fix(tools): extend error message for failed python module import (v5.1)

See merge request espressif/esp-idf!25868
2023-09-14 01:50:22 +08:00
Kapil Gupta
4756c22ffa change(esp_wifi): Port fast_pbkdf2 implementation for mbedlts
Add changes to use fast_pbkdf2 as default for PMK calculations.
fast_pbkdf2 is significantly faster than current implementations
for esp chips.

Also removes unnecessary code for pbkdf-sha256 and pbkdf-sha512.
2023-09-13 16:33:19 +08:00
Kapil Gupta
e62d11ef41 change(esp_wifi): Copy fastpbkdf2 implementation
Copy pbkdf2 implementation from https://github.com/ctz/fastpbkdf2(3c56895)
2023-09-13 16:33:19 +08:00
aleks
4c06791a40 docs: updated modbus api reference documents for target esp32h2 2023-09-11 13:41:07 +00:00
Wang Meng Yang
da07a096d0 Merge branch 'test/bqb_test_bt_classic_hid_v5.1' into 'release/v5.1'
feat(bt/bqb): Add setting local di record function for specific hid case of bqb auto test (backport v5.1)

See merge request espressif/esp-idf!25833
2023-09-11 07:36:25 +08:00
Peter Dragun
3d8c34efd5 feat(tools): remove gdb_panic_server and use just a wrapper for script
gdb_panic_server is now part of esp-idf-panic-decoder
2023-09-08 09:34:12 +02:00
Peter Dragun
b83a56512a fix(tools): fix autocomplete for --port option
Closes https://github.com/espressif/esp-idf/issues/7970
2023-09-08 09:25:33 +02:00
Frantisek Hrbata
dff4ec6fbf fix(tools): extend error message for failed python module import
Currently idf.py reports just "Please use idf.py only in an ESP-IDF shell environment".
Sometimes it may be useful to know for which module the import failed.
Also the problem does not have to be related to shell environment only, but the
python venv can be corrupted. This adds a little bit more verbose error
message.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-09-08 07:29:43 +02:00
wanglai@espressif.com
e29b67c02a fix(bt/bluedroid): Changed HID related copyright automatically 2023-09-07 14:17:42 +08:00
Peter Dragun
23a38f0f6f bug(tools): dependency check catch exception when package not installed 2023-08-31 10:24:06 +02:00
Erhan Kurubas
568c397822 feat(coredump): add panic details to the elf file 2023-08-28 18:48:16 +02:00
Aditya Patwardhan
d3f2e4dab5 Merge branch 'fix/esp_prov_recent_changes_v5.1' into 'release/v5.1'
fix(esp_prov): update devices tuple usage due to API deprecations (v5.1)

See merge request espressif/esp-idf!25536
2023-08-28 14:07:35 +08:00
Roland Dobai
06a4943e41 Merge branch 'fix/bin_names_with_dots_v5.1' into 'release/v5.1'
fix(build_system): Allow dots in the name of an app binary (backport v5.1)

See merge request espressif/esp-idf!25276
2023-08-25 14:42:32 +08:00
Roland Dobai
c8970d8205 Merge branch 'feature/requires_hints_v5.1' into 'release/v5.1'
feat(tools): show hints for component dependencies (v5.1)

See merge request espressif/esp-idf!25386
2023-08-25 14:28:13 +08:00
Roland Dobai
a1be2f3613 Merge branch 'bugfix/sbom_hash_check_v5.1' into 'release/v5.1'
fix(test_submodules.py): don't rely on submodule init (v5.1)

See merge request espressif/esp-idf!25057
2023-08-25 14:21:18 +08:00