script/windows-installer: check Git program path

chrisd8088 · dscho · chrisd8088 · commit a5b751f541ab · 2022-03-31T13:44:38.000-07:00
When installing and uninstalling Git LFS, the Git LFS
program configures its "clean" and "smudge" Git filters,
and to do this it executes Git so as to change the Git
global configuration (or, optionally, the system-wide,
local user, or worktree-specific configuration).

The Git program executed is the first one found using the
PATH environment variable (and, on Windows, the PATHEXT
environment variable).

Therefore, when installing Git LFS as an administrator with
elevated privileges, final responsibility lies with the
administrator to ensure there are no compromised executables
in their system PATH.

For instance, on Linux the "secure_path" configuration
value might be set in /etc/sudoers before running the command
"sudo git lfs install --system".

We can, however, attempt to assist the administrator on
Windows where we provide a dedicated installer and also
anticipate that Git will be installed under a common set
of directories.

For that reason we update our Inno Setup installer script so
that if it detects that the Git program found with the relevant
PATH and PATHEXT environment variables (either the user or
system ones, depending on the user's role) is not within
either of the "C:\Program Files" or "C:\Program Files (x86)"
directories, then a warning is displayed and the user prompted
to decide whether to continue.

And for convenience, we now report a failure message if no
Git program is found, which avoids subsequent errors during
the installation or uninstallation steps for any user.

Note, though, that if a Windows administrator runs the
"git-lfs.exe install" command manually, the checks we are
adding to the Inno Setup script will not be performed, and
the situation then is no different than a macOS or Linux
user running "sudo git-lfs install" without confidence that
the system PATH and installed Git binary are already secure.

Co-authored-by: Johannes Schindelin &lt;Johannes.Schindelin@gmx.de&gt;
diff --git a/script/windows-installer/inno-setup-git-lfs-installer.iss b/script/windows-installer/inno-setup-git-lfs-installer.iss
@@ -59,9 +59,9 @@ WizardSmallImageFile=git-lfs-logo.bmp
 Name: "english"; MessagesFile: "compiler:Default.isl"
 
 [Files]
-Source: {#PathToX86Binary}; DestDir: "{app}"; Flags: ignoreversion; DestName: "git-lfs.exe"; AfterInstall: InstallGitLFS; Check: IsX86
-Source: {#PathToX64Binary}; DestDir: "{app}"; Flags: ignoreversion; DestName: "git-lfs.exe"; AfterInstall: InstallGitLFS; Check: IsX64
-Source: {#PathToARM64Binary}; DestDir: "{app}"; Flags: ignoreversion; DestName: "git-lfs.exe"; AfterInstall: InstallGitLFS; Check: IsARM64
+Source: {#PathToX86Binary}; DestDir: "{app}"; Flags: ignoreversion; DestName: "git-lfs.exe"; AfterInstall: InstallGitLFS; Check: IsX86 and GitFoundInPath
+Source: {#PathToX64Binary}; DestDir: "{app}"; Flags: ignoreversion; DestName: "git-lfs.exe"; AfterInstall: InstallGitLFS; Check: IsX64 and GitFoundInPath
+Source: {#PathToARM64Binary}; DestDir: "{app}"; Flags: ignoreversion; DestName: "git-lfs.exe"; AfterInstall: InstallGitLFS; Check: IsARM64 and GitFoundInPath
 
 [Registry]
 Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; Check: IsAdminLoggedOn and NeedsAddPath('{app}')
@@ -101,6 +101,56 @@ begin
     Result := Pos(';' + UpperCase(ParamExpanded) + '\;', ';' + UpperCase(OrigPath) + ';') = 0;
 end;
 
+// Verify that a Git executable is found in the PATH, and if it does not
+// reside in either 'C:\Program Files' or 'C:\Program Files (x86)', warn
+// the user in case it is not the Git installation they expected.
+function GitFoundInPath(): boolean;
+var
+  PFiles32,PFiles64: string;
+  PathEnv,Path: string;
+  PathExt,Ext: string;
+  i,j: integer;
+begin
+  Result := False;
+  PFiles32 := ExpandConstant('{commonpf32}\')
+  PFiles64 := ExpandConstant('{commonpf64}\')
+
+  PathEnv := GetEnv('PATH') + ';';
+  repeat
+    i := Pos(';', PathEnv);
+    Path := Copy(PathEnv, 1, i-1) + '\git';
+    PathEnv := Copy(PathEnv, i+1, Length(PathEnv)-i);
+
+    PathExt := GetEnv('PATHEXT') + ';';
+    repeat
+      j := Pos(';', PathExt);
+      Ext := Copy(PathExt, 1, j-1);
+      PathExt := Copy(PathExt, j+1, Length(PathExt)-j);
+
+      if FileExists(Path + Ext) then begin
+        if (Pos(PFiles32, Path) = 1) or (Pos(PFiles64, Path) = 1) then begin
+          Result := True;
+          Exit;
+        end;
+        Log('Warning: Found Git in unexpected location: "' + Path + Ext + '"');
+        Result := (SuppressibleMsgBox(
+          'An executable Git program was found in an unexpected location outside of Program Files:' + #13+#10 +
+          '  "' + Path + Ext + '"' + #13+#10 +
+          'If this looks dubious, Git LFS should not be registered using it.' + #13+#10 + #13+#10 +
+          'Do you want to register Git LFS using this Git program?',
+          mbConfirmation, MB_YESNO, IDNO) = IDYES);
+        if Result then
+          Log('Using Git found at: "' + Path + Ext + '"')
+        else
+          Log('Refusing to use Git found at: "' + Path + Ext + '"');
+        Exit;
+      end;
+    until Result or (PathExt = '');
+  until Result or (PathEnv = '');
+  SuppressibleMsgBox(
+    'Could not find Git; can not proceed.', mbError, MB_OK, IDOK);
+end;
+
 // Runs the lfs initialization.
 procedure InstallGitLFS();
 var
@@ -122,10 +172,14 @@ function InitializeUninstall(): Boolean;
 var
   ResultCode: integer;
 begin
-  Exec(
-    ExpandConstant('{cmd}'),
-    ExpandConstant('/C ""{app}\git-lfs.exe" uninstall"'),
-    '', SW_HIDE, ewWaitUntilTerminated, ResultCode
-  );
-  Result := True;
+  Result := False;
+
+  if GitFoundInPath() then begin
+    Exec(
+      ExpandConstant('{cmd}'),
+      ExpandConstant('/C ""{app}\git-lfs.exe" uninstall"'),
+      '', SW_HIDE, ewWaitUntilTerminated, ResultCode
+    );
+    Result := True;
+  end;
 end;
