On 05/05/2022 10:40, Phillip Wood wrote:
[...]
To avoid that, extend the ensure_valid_ownership function to be able to
check for ownership of both the worktree and the gitdir, and use that for
non bare repositories.
Looking at the code below it now only ever checks the ownership of the
gitdir, it no longer checks the ownership of the worktree. I haven't
really thought through what happens if I cd into a worktree added by an
attacker to a repository that I own which has extentions.worktreeConfig
set. My initial thought is that if they can add a worktree then they can
probably edit the repository config anyway but I wonder if an attacker
can set GIT_COMMON_DIR to a directory where they have write permission
to add a worktree to a repository where they don't have write permission.
Thinking about this some more, I don't think setting GIT_COMMON_DIR
while running "git worktree add" will help an attacker as the worktree's
gitdir is created under the main gitdir. I've had a bit of a think and
I've not been able to come up with a senario where GIT_DIR and
GIT_COMMON_DIR have different owners that is exploitable but it might be
worth someone else checking I've not missed something.
Best Wishes
Phillip
