Junio C Hamano <gitster@xxxxxxxxx> writes: > In the previous commit, we created a helper function to house the > logic that checks if a directory that looks like a bare repository > is actually a part of a non-bare repository. Extend the helper > function to also check if the apparent bare-repository is a $GIT_DIR > of a secondary worktree, by checking three things: > > * The path to the $GIT_DIR must be a subdirectory of > ".git/worktrees/", which is the primary worktree [*]. > > * Such $GIT_DIR must have file "gitdir", that records the path of > the ".git" file that is at the root level of the secondary > worktree. > > * That ".git" file in turn points back at the $GIT_DIR we are > inspecting. > > The latter two points are merely for checking sanity. The security > lies in the first requirement. > > Remember that a tree object with an entry whose pathname component > is ".git" is forbidden at various levels (fsck, object transfer and > checkout), so malicious projects cannot cause users to clone and > checkout a crafted ".git" directory in a shell directory that > pretends to be a working tree with that ".git" thing at its root > level. That is where 45bb9162 (setup: allow cwd=.git w/ > bareRepository=explicit, 2024-01-20) draws its security guarantee > from. And the solution for secondary worktrees in this commit draws > its security guarantee from the same place. I wrote the "[*]" mark but forgot to add a footnote with an additional information for it. Something like this was what I had in mind to write there: [Footnote] * This does not help folks who create a new worktree out of a bare repository, because in their set-up, there won't be "/.git/" in front of "worktrees" directory. It is fundamentally impossible to lift this limitation, as long as safe.bareRepository is considered to be a meaningful security measure. The security of both the loosening for a secondary worktree's GIT_DIR as well as the loosening for the GIT_DIR of the primary worktree, hinge on the fact that ".git/" directory is impossible to create as payload to be cloned.
