esp-idf/tools
Frantisek Hrbata 99f9dd4c07 feat(docker): allow to add paths into git's safe.directory
With 8959555cee7e[1] ("setup_git_directory(): add an owner check for the top..")
git added an ownership check of the git directory and refuses to
run any git commands, even parsing the config file, if the git directory
is not owned by the current user. The "fatal: detected dubious ownership in repository"
is reported.

This fixes CVE-2022-24765[2], which allows to compromise user account. On a
multi-user system or e.g. on a shared file system, one user may create a "rogue"
git repository with e.g. core.fsmonitor set to an arbitrary command. Other user
may unwillingly execute this command by running e.g. git-diff or
git-status within the "rogue" git repository, which may be in one of the parent
directories. If e.g. PS1 is set to display information about a git
repository in CWD, as suggested in Git in Bash[3], the user do not need to run
any git command to trigger this, just entering some subdirectory under
this "rogue" git repository is enough, because the git command will be
started transparently through the script used in PS1. The core.fsmonitor
can be set to arbitrary command. It's purpose is to help git to identify changed files
and speed up the scanning for changed files.

rogue
├── .git     # owned by user1
└── dir1     # owned by user2
    ├── dir2 # owned by user2
    └── .git # owned by user2

user1 sets core.fsmonitor for git repository in rogue directory
$ git config --add core.fsmonitor "bash -c 'rm -rf \$HOME'"

user2 enters dir1 and runs e.g. git diff and triggers the core.fsmonitor command.

The ownership check may cause problems when running git commands in
ESP-IDF Docker container. For example user may run the container as
root, but the mounted project may be owned by a particular user.

In this case git will refuse to execute any git command within the
"/project" directory, because it's not owned by root. To overcome this,
git allows to set safe.directories, for which the ownership check is
skipped. The security check may be completely disabled by setting
safe.directories to "*". This solution was proposed in PR 12636[4], but
it would allow make it possible to exploit this vulnerability again.

This fix allows user to specify git's safe.directory in IDF_GIT_SAFE_DIR
environmental variable, which may be set during container startup.

The IDF_GIT_SAFE_DIR has same format as PATH and multiple directories can be
specified by using a ":" separator. To entirely disable this git security check
within the container, user may set IDF_GIT_SAFE_DIR='*'. This might be
heplfull in CI.

Closes https://github.com/espressif/esp-idf/pull/12636

[1] - 8959555cee
[2] - https://nvd.nist.gov/vuln/detail/cve-2022-24765
[3] - https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash
[4] - https://github.com/espressif/esp-idf/pull/12636

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-12-01 08:23:16 +01:00
..
ble feat: add requirements.ttfw.txt 2022-08-01 15:52:21 +08:00
catch Whitespace: Automated whitespace fixes (large commit) 2020-11-11 07:36:35 +00:00
ci Merge branch 'test/idf-build-apps-1.0.0_v5.1' into 'release/v5.1' 2023-11-28 14:59:39 +08:00
cmake change(version): Update version to 5.1.2 2023-11-10 07:51:59 +05:30
docker feat(docker): allow to add paths into git's safe.directory 2023-12-01 08:23:16 +01:00
esp_app_trace sys_view: upgrade to version 3.32 2023-01-24 00:26:58 +07:00
esp_prov fix(esp_prov): update devices tuple usage due to API deprecations 2023-08-24 14:48:25 +05:30
gen_soc_caps_kconfig build-system: include soc_caps defines into kconfig 2021-12-06 12:37:07 +08:00
idf_py_actions Merge branch 'coredump-info-offset_v5.1' into 'release/v5.1' 2023-11-16 18:56:55 +08:00
kconfig_new tools: Move out kconfig_new in favour of using the esp-idf-kconfig package 2022-11-15 21:19:51 +01:00
ldgen fix(ldgen): duplicate entries in the generated .ld file 2023-09-21 19:38:49 +08:00
mass_mfg tools: remove the dependency on the future package 2022-08-09 16:46:58 +02:00
mocks [tcp_transport] - Adds Socks4 proxy transport 2023-03-27 14:46:40 +02:00
requirements Merge branch 'gdb_panic_server_remove_v5.1' into 'release/v5.1' 2023-09-21 10:09:07 +08:00
templates/sample_component add new command to idf 2020-09-21 23:38:52 +02:00
test_apps ci(system): re-enable build test app for C2 and C6, clean up configs 2023-11-28 18:09:06 +01:00
test_build_system feat(ci): add test for custom cmake CMAKE_EXECUTABLE_SUFFIX 2023-11-20 11:03:28 +01:00
test_idf_py ci(tools): fix test_hints.py to run on windows 2023-08-17 07:57:39 +02:00
test_idf_tools feat(tools): Add QEMU 8.0.0_20230522 to tools.json 2023-10-11 12:28:47 +07:00
test_mkdfu mkdfu.py: Support setting flash parameters 2022-05-27 15:44:56 +02:00
test_mkuf2 idf.py: Change copyright in tools dir 2022-05-24 14:01:50 +02:00
test_sbom fix(test_submodules.py): don't rely on submodule init 2023-07-28 12:13:32 +02:00
unit-test-app Merge branch 'refactor/driver_ut_to_test_app_v5.1' into 'release/v5.1' 2023-05-18 16:18:26 +08:00
check_python_dependencies.py bug(tools): dependency check catch exception when package not installed 2023-08-31 10:24:06 +02:00
check_term.py check_term: allow alacritty term 2022-05-19 11:10:59 +08:00
detect_python.fish Tools: Use default value in the Python detections scripts 2022-03-11 11:00:31 +01:00
detect_python.sh Tools: Use default value in the Python detections scripts 2022-03-11 11:00:31 +01:00
eclipse-code-style.xml tools: add code formatter rules for Eclipse 2016-11-03 18:41:00 +08:00
format-minimal.sh global: use '/usr/bin/env bash' instead of '/usr/bin/bash' in shebangs 2020-04-03 01:10:02 +02:00
format.sh global: use '/usr/bin/env bash' instead of '/usr/bin/bash' in shebangs 2020-04-03 01:10:02 +02:00
gdb_panic_server.py feat(tools): remove gdb_panic_server and use just a wrapper for script 2023-09-08 09:34:12 +02:00
gen_esp_err_to_name.py tool: skip test folder when generating esp_err_t table 2022-11-10 10:37:59 +08:00
generate_debug_prefix_map.py build: create BUILD_DIR/prefix_map_gdbinit when enable reproducible build 2021-10-26 10:55:00 +08:00
idf_monitor.py feat(idf_monitor): move idf_monitor to separate repo 2023-02-03 11:20:15 +01:00
idf_size.py tools: Move out idf_size.py in favour of using the esp-idf-size package 2023-03-27 19:40:33 +02:00
idf_tools.py feat(tools): Add QEMU 8.0.0_20230522 to tools.json 2023-10-11 12:28:47 +07:00
idf.py fix(tools): extend error message for failed python module import 2023-09-08 07:29:43 +02:00
install_util.py Tools: --disable-* argument for removing features 2022-06-30 12:31:59 +02:00
mkdfu.py tools: remove the dependency on the future package 2022-08-09 16:46:58 +02:00
mkuf2.py Merge branch 'fix/flake8_v5_warnings' into 'master' 2022-08-12 23:27:14 +08:00
python_version_checker.py Tools: Fix silent failure about the incompatible Python 2022-02-16 18:44:13 +01:00
requirements_schema.json Tools: Make easier the detection of the list of Python features 2022-02-03 19:02:14 +01:00
requirements.json feat: add requirements.ttfw.txt 2022-08-01 15:52:21 +08:00
set-submodules-to-github.sh global: use '/usr/bin/env bash' instead of '/usr/bin/bash' in shebangs 2020-04-03 01:10:02 +02:00
split_paths_by_spaces.py tools: fixup version references related to paths with spaces 2022-05-02 19:05:47 +02:00
tools_schema.json tools: add esp-rom-elfs version '20220823' 2022-09-21 22:39:03 +04:00
tools.json Merge branch 'feature/add_qemu_to_tools-json_v5.1' into 'release/v5.1' 2023-11-16 18:54:46 +08:00