diff options
Diffstat (limited to 'vendor/gix/src/open')
| -rw-r--r-- | vendor/gix/src/open/mod.rs | 19 | ||||
| -rw-r--r-- | vendor/gix/src/open/options.rs | 5 | ||||
| -rw-r--r-- | vendor/gix/src/open/permissions.rs | 215 | ||||
| -rw-r--r-- | vendor/gix/src/open/repository.rs | 24 |
4 files changed, 249 insertions, 14 deletions
diff --git a/vendor/gix/src/open/mod.rs b/vendor/gix/src/open/mod.rs index 77018f5a2..03c976204 100644 --- a/vendor/gix/src/open/mod.rs +++ b/vendor/gix/src/open/mod.rs @@ -1,6 +1,17 @@ use std::path::PathBuf; -use crate::{bstr::BString, config, permission, Permissions}; +use crate::{bstr::BString, config}; + +/// Permissions associated with various resources of a git repository +#[derive(Debug, Clone)] +pub struct Permissions { + /// Control which environment variables may be accessed. + pub env: permissions::Environment, + /// Permissions related where git configuration should be loaded from. + pub config: permissions::Config, + /// Permissions related to where `gitattributes` should be loaded from. + pub attributes: permissions::Attributes, +} /// The options used in [`ThreadSafeRepository::open_opts()`][crate::ThreadSafeRepository::open_opts()]. /// @@ -16,7 +27,7 @@ pub struct Options { /// Define what is allowed while opening a repository. pub permissions: Permissions, pub(crate) git_dir_trust: Option<gix_sec::Trust>, - /// Warning: this one is copied to to config::Cache - don't change it after repo open or keep in sync. + /// Warning: this one is copied to config::Cache - don't change it after repo open or keep in sync. pub(crate) filter_config_section: Option<fn(&gix_config::file::Metadata) -> bool>, pub(crate) lossy_config: Option<bool>, pub(crate) lenient_config: bool, @@ -44,11 +55,11 @@ pub enum Error { #[error("The git directory at '{}' is considered unsafe as it's not owned by the current user.", .path.display())] UnsafeGitDir { path: PathBuf }, #[error(transparent)] - EnvironmentAccessDenied(#[from] permission::env_var::resource::Error), + EnvironmentAccessDenied(#[from] gix_sec::permission::Error<std::path::PathBuf>), } mod options; - +pub mod permissions; mod repository; #[cfg(test)] diff --git a/vendor/gix/src/open/options.rs b/vendor/gix/src/open/options.rs index fb648e3c2..b098d55c1 100644 --- a/vendor/gix/src/open/options.rs +++ b/vendor/gix/src/open/options.rs @@ -1,7 +1,7 @@ use std::path::PathBuf; use super::{Error, Options}; -use crate::{bstr::BString, config, Permissions, ThreadSafeRepository}; +use crate::{bstr::BString, config, open::Permissions, ThreadSafeRepository}; impl Default for Options { fn default() -> Self { @@ -134,6 +134,9 @@ impl Options { /// /// This is recommended for all applications that prefer correctness over usability. /// `git` itself defaults to strict configuration mode, flagging incorrect configuration immediately. + /// + /// Failure to read configuration files due to IO errors will also be a hard error if this mode is enabled, otherwise + /// these errors will merely be logged. pub fn strict_config(mut self, toggle: bool) -> Self { self.lenient_config = !toggle; self diff --git a/vendor/gix/src/open/permissions.rs b/vendor/gix/src/open/permissions.rs new file mode 100644 index 000000000..633575a9d --- /dev/null +++ b/vendor/gix/src/open/permissions.rs @@ -0,0 +1,215 @@ +//! Various permissions to define what can be done when operating a [`Repository`][crate::Repository]. +use crate::open::Permissions; +use gix_sec::Trust; + +/// Configure from which sources git configuration may be loaded. +/// +/// Note that configuration from inside of the repository is always loaded as it's definitely required for correctness. +#[derive(Copy, Clone, Ord, PartialOrd, PartialEq, Eq, Debug, Hash)] +pub struct Config { + /// The git binary may come with configuration as part of its configuration, and if this is true (default false) + /// we will load the configuration of the git binary, if present and not a duplicate of the ones below. + /// + /// It's disabled by default as it may involve executing the git binary once per execution of the application. + pub git_binary: bool, + /// Whether to use the system configuration. + /// This is defined as `$(prefix)/etc/gitconfig` on unix. + pub system: bool, + /// Whether to use the git application configuration. + /// + /// A platform defined location for where a user's git application configuration should be located. + /// If `$XDG_CONFIG_HOME` is not set or empty, `$HOME/.config/git/config` will be used + /// on unix. + pub git: bool, + /// Whether to use the user configuration. + /// This is usually `~/.gitconfig` on unix. + pub user: bool, + /// Whether to use the configuration from environment variables. + pub env: bool, + /// Whether to follow include files are encountered in loaded configuration, + /// via `include` and `includeIf` sections. + pub includes: bool, +} + +impl Config { + /// Allow everything which usually relates to a fully trusted environment + pub fn all() -> Self { + Config { + git_binary: false, + system: true, + git: true, + user: true, + env: true, + includes: true, + } + } + + /// Load only configuration local to the git repository. + pub fn isolated() -> Self { + Config { + git_binary: false, + system: false, + git: false, + user: false, + env: false, + includes: false, + } + } +} + +impl Default for Config { + fn default() -> Self { + Self::all() + } +} + +/// Configure from which `gitattribute` files may be loaded. +/// +/// Note that `.gitattribute` files from within the repository are always loaded. +#[derive(Copy, Clone, Ord, PartialOrd, PartialEq, Eq, Debug, Hash)] +pub struct Attributes { + /// The git binary may come with attribute configuration in its installation directory, and if this is true (default false) + /// we will load the configuration of the git binary. + /// + /// It's disabled by default as it involves executing the git binary once per execution of the application. + pub git_binary: bool, + /// Whether to use the system configuration. + /// This is typically defined as `$(prefix)/etc/gitconfig`. + pub system: bool, + /// Whether to use the git application configuration. + /// + /// A platform defined location for where a user's git application configuration should be located. + /// If `$XDG_CONFIG_HOME` is not set or empty, `$HOME/.config/git/attributes` will be used + /// on unix. + pub git: bool, +} + +impl Attributes { + /// Allow everything which usually relates to a fully trusted environment + pub fn all() -> Self { + Attributes { + git_binary: false, + system: true, + git: true, + } + } + + /// Allow loading attributes that are local to the git repository. + pub fn isolated() -> Self { + Attributes { + git_binary: false, + system: false, + git: false, + } + } +} + +impl Default for Attributes { + fn default() -> Self { + Self::all() + } +} + +/// Permissions related to the usage of environment variables +#[derive(Debug, Clone, Copy)] +pub struct Environment { + /// Control whether resources pointed to by `XDG_CONFIG_HOME` can be used when looking up common configuration values. + /// + /// Note that [`gix_sec::Permission::Forbid`] will cause the operation to abort if a resource is set via the XDG config environment. + pub xdg_config_home: gix_sec::Permission, + /// Control the way resources pointed to by the home directory (similar to `xdg_config_home`) may be used. + pub home: gix_sec::Permission, + /// Control if environment variables to configure the HTTP transport, like `http_proxy` may be used. + /// + /// Note that http-transport related environment variables prefixed with `GIT_` may also be included here + /// if they match this category like `GIT_HTTP_USER_AGENT`. + pub http_transport: gix_sec::Permission, + /// Control if the `EMAIL` environment variables may be read. + /// + /// Note that identity related environment variables prefixed with `GIT_` may also be included here + /// if they match this category. + pub identity: gix_sec::Permission, + /// Control if environment variables related to the object database are handled. This includes features and performance + /// options alike. + pub objects: gix_sec::Permission, + /// Control if resources pointed to by `GIT_*` prefixed environment variables can be used, **but only** if they + /// are not contained in any other category. This is a catch-all section. + pub git_prefix: gix_sec::Permission, + /// Control if resources pointed to by `SSH_*` prefixed environment variables can be used (like `SSH_ASKPASS`) + pub ssh_prefix: gix_sec::Permission, +} + +impl Environment { + /// Allow access to the entire environment. + pub fn all() -> Self { + let allow = gix_sec::Permission::Allow; + Environment { + xdg_config_home: allow, + home: allow, + git_prefix: allow, + ssh_prefix: allow, + http_transport: allow, + identity: allow, + objects: allow, + } + } + + /// Don't allow loading any environment variables. + pub fn isolated() -> Self { + let deny = gix_sec::Permission::Deny; + Environment { + xdg_config_home: deny, + home: deny, + ssh_prefix: deny, + git_prefix: deny, + http_transport: deny, + identity: deny, + objects: deny, + } + } +} + +impl Permissions { + /// Secure permissions are similar to `all()` + pub fn secure() -> Self { + Permissions { + env: Environment::all(), + config: Config::all(), + attributes: Attributes::all(), + } + } + + /// Everything is allowed with this set of permissions, thus we read all configuration and do what git typically + /// does with owned repositories. + pub fn all() -> Self { + Permissions { + env: Environment::all(), + config: Config::all(), + attributes: Attributes::all(), + } + } + + /// Don't read any but the local git configuration and deny reading any environment variables. + pub fn isolated() -> Self { + Permissions { + config: Config::isolated(), + attributes: Attributes::isolated(), + env: Environment::isolated(), + } + } +} + +impl gix_sec::trust::DefaultForLevel for Permissions { + fn default_for_level(level: Trust) -> Self { + match level { + Trust::Full => Permissions::all(), + Trust::Reduced => Permissions::secure(), + } + } +} + +impl Default for Permissions { + fn default() -> Self { + Permissions::secure() + } +} diff --git a/vendor/gix/src/open/repository.rs b/vendor/gix/src/open/repository.rs index 85dd91da7..c7702b5f6 100644 --- a/vendor/gix/src/open/repository.rs +++ b/vendor/gix/src/open/repository.rs @@ -10,7 +10,8 @@ use crate::{ cache::{interpolate_context, util::ApplyLeniency}, tree::{gitoxide, Core, Key, Safe}, }, - permission, Permissions, ThreadSafeRepository, + open::Permissions, + ThreadSafeRepository, }; #[derive(Default, Clone)] @@ -26,7 +27,7 @@ pub(crate) struct EnvironmentOverrides { } impl EnvironmentOverrides { - fn from_env() -> Result<Self, permission::env_var::resource::Error> { + fn from_env() -> Result<Self, gix_sec::permission::Error<std::path::PathBuf>> { let mut worktree_dir = None; if let Some(path) = std::env::var_os(Core::WORKTREE.the_environment_override()) { worktree_dir = PathBuf::from(path).into(); @@ -146,13 +147,18 @@ impl ThreadSafeRepository { lenient_config, bail_if_untrusted, open_path_as_is: _, - permissions: Permissions { ref env, config }, + permissions: + Permissions { + ref env, + config, + attributes, + }, ref api_config_overrides, ref cli_config_overrides, ref current_dir, } = options; let current_dir = current_dir.as_deref().expect("BUG: current_dir must be set by caller"); - let git_dir_trust = git_dir_trust.expect("trust must be been determined by now"); + let git_dir_trust = git_dir_trust.expect("trust must be determined by now"); // TODO: assure we handle the worktree-dir properly as we can have config per worktree with an extension. // This would be something read in later as have to first check for extensions. Also this means @@ -180,9 +186,7 @@ impl ThreadSafeRepository { }; let head = refs.find("HEAD").ok(); let git_install_dir = crate::path::install_dir().ok(); - let home = std::env::var_os("HOME") - .map(PathBuf::from) - .and_then(|home| env.home.check_opt(home)); + let home = gix_path::env::home_dir().and_then(|home| env.home.check_opt(home)); let mut filter_config_section = filter_config_section.unwrap_or(config::section::is_trusted); let config = config::Cache::from_stage_one( @@ -192,7 +196,8 @@ impl ThreadSafeRepository { filter_config_section, git_install_dir.as_deref(), home.as_deref(), - env.clone(), + *env, + attributes, config, lenient_config, api_config_overrides, @@ -266,7 +271,8 @@ impl ThreadSafeRepository { config, // used when spawning new repositories off this one when following worktrees linked_worktree_options: options, - index: gix_features::fs::MutableSnapshot::new().into(), + index: gix_fs::SharedFileSnapshotMut::new().into(), + shallow_commits: gix_fs::SharedFileSnapshotMut::new().into(), }) } } |