Add git config protocol.file.allow=always to tests#1895
Merged
Conversation
This was disabled due to a [security vulnerability in git](https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253). The test TestCheckingOutLocalGitProjectWithSubmodules was only passing in CI because we run version of git in CI that did not receive the patch. One solution would have been to set protocol.file.allow=always globally. However, that would mean that anyone who ran the tests would expose their enviroment to that vulnerability, and permanently if the global config was not unset afterwards.
Co-authored-by: Josh Deprez <[email protected]>
triarius
commented
Jan 2, 2023
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This was disabled upstream due to a security vulnerability in git. That caused the test TestCheckingOutLocalGitProjectWithSubmodules to fail. It has only been passing in CI because we run a version of git in CI that did not receive the patch.
One solution would have been to set
protocol.file.allow=alwaysglobally. However, that would mean that anyone who ran the tests would expose their environment to that vulnerability, and permanently if the global config were not unset afterwards.Thus, in this PR, the config is only applied for the commands that need it. As one such command was in the default checkout hook, a configuration option was added so that the config would only be enabled in the test that needed it.
There is also some very minor clone cleanup in a separate commit.