Include shell path in restricted PATH in credential helper path test#4959
Merged
chrisd8088 merged 1 commit intogit-lfs:mainfrom Apr 25, 2022
Merged
Include shell path in restricted PATH in credential helper path test#4959chrisd8088 merged 1 commit intogit-lfs:mainfrom
PATH in credential helper path test#4959chrisd8088 merged 1 commit intogit-lfs:mainfrom
Conversation
In commit 11092ef as part of our response to CVE-2022-24826 we revised the "does not look in current directory for git with credential helper" test (which was first added in commit 10c4ffc to check for the issue in CVE-2021-21237) to use a new helper program which simulates a malicious Git executable. In order to avoid invoking this executable while setting up the test conditions we generally remove it from the working directory as soon as possible, but we have to at least leave it there while running "git add git.exe" in order to add it to the current Git index. Therefore we now explicitly set the PATH environment variable before running this command to include a minimal set of necessary directories, specifically the ones for the real Git executable and our test Git LFS executable. However, since in some cases our CI tests fail because "git add" wants to run a shell script and the "sh.exe" binary is not available in our restricted PATH, we add that binary's location to the PATH we use when running "git add git.exe" in this test.
PATH in credential help path testPATH in credential help path test
PATH in credential help path testPATH in credential helper path test
bk2204
approved these changes
Apr 25, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In commit 11092ef as part of our response to CVE-2022-24826 we revised the
"does not look in current directory for git with credential helper"test (which was first added in commit 10c4ffc to check for the issue in CVE-2021-21237) to use a new helper program which simulates a malicious Git executable.In order to avoid invoking this executable while setting up our test conditions we generally remove it from the working directory as soon as possible, but we have to at least leave it there while running
git add git.exein order to add it to the current Git index. Therefore we now explicitly set thePATHenvironment variable before running this command to include a minimal set of necessary directories, specifically the ones for the real Git executable and our test Git LFS executable.However, since in some cases our CI tests fail because
git addwants to run a shell script and thesh.exebinary is not available in our restrictedPATH, we add that binary's location to thePATHwe use when runninggit add git.exein this test. The specific error seen in some CI runs is as follows; thez.datfile is added to the index in a prior step: