rugged 1.3.2.1 → 1.3.2.3

data/vendor/libgit2/src/path.c

@@ -2024,9 +2024,9 @@ done:
 	return supported;
 }
 
-static git_path__mock_owner_t mock_owner = GIT_PATH_MOCK_OWNER_NONE;
+static git_path_owner_t mock_owner = GIT_PATH_OWNER_NONE;
 
-void git_path__set_owner(git_path__mock_owner_t owner)
+void git_path__set_owner(git_path_owner_t owner)
 {
 	mock_owner = owner;
 }
@@ -2118,74 +2118,52 @@ static int file_owner_sid(PSID *out, const char *path)
 	return error;
 }
 
-int git_path_owner_is_current_user(bool *out, const char *path)
+int git_path_owner_is(
+	bool *out,
+	const char *path,
+	git_path_owner_t owner_type)
 {
 	PSID owner_sid = NULL, user_sid = NULL;
-	int error = -1;
+	BOOL is_admin, admin_owned;
+	int error;
 
 	if (mock_owner) {
-		*out = (mock_owner == GIT_PATH_MOCK_OWNER_CURRENT_USER);
+		*out = ((mock_owner & owner_type) != 0);
 		return 0;
 	}
 
-	if ((error = file_owner_sid(&owner_sid, path)) < 0 ||
-	    (error = current_user_sid(&user_sid)) < 0)
+	if ((error = file_owner_sid(&owner_sid, path)) < 0)
 		goto done;
 
-	*out = EqualSid(owner_sid, user_sid);
-	error = 0;
-
-done:
-	git__free(owner_sid);
-	git__free(user_sid);
-	return error;
-}
-
-int git_path_owner_is_system(bool *out, const char *path)
-{
-	PSID owner_sid;
-
-	if (mock_owner) {
-		*out = (mock_owner == GIT_PATH_MOCK_OWNER_SYSTEM);
-		return 0;
-	}
-
-	if (file_owner_sid(&owner_sid, path) < 0)
-		return -1;
-
-	*out = IsWellKnownSid(owner_sid, WinBuiltinAdministratorsSid) ||
-	       IsWellKnownSid(owner_sid, WinLocalSystemSid);
+	if ((owner_type & GIT_PATH_OWNER_CURRENT_USER) != 0) {
+		if ((error = current_user_sid(&user_sid)) < 0)
+			goto done;
 
-	git__free(owner_sid);
-	return 0;
-}
-
-int git_path_owner_is_system_or_current_user(bool *out, const char *path)
-{
-	PSID owner_sid = NULL, user_sid = NULL;
-	int error = -1;
-
-	if (mock_owner) {
-		*out = (mock_owner == GIT_PATH_MOCK_OWNER_SYSTEM ||
-		        mock_owner == GIT_PATH_MOCK_OWNER_CURRENT_USER);
-		return 0;
+		if (EqualSid(owner_sid, user_sid)) {
+			*out = true;
+			goto done;
+		}
 	}
 
-	if (file_owner_sid(&owner_sid, path) < 0)
-		goto done;
+	admin_owned =
+		IsWellKnownSid(owner_sid, WinBuiltinAdministratorsSid) ||
+		IsWellKnownSid(owner_sid, WinLocalSystemSid);
 
-	if (IsWellKnownSid(owner_sid, WinBuiltinAdministratorsSid) ||
-	    IsWellKnownSid(owner_sid, WinLocalSystemSid)) {
-		*out = 1;
-		error = 0;
+	if (admin_owned &&
+	    (owner_type & GIT_PATH_OWNER_ADMINISTRATOR) != 0) {
+		*out = true;
 		goto done;
 	}
 
-	if (current_user_sid(&user_sid) < 0)
+	if (admin_owned &&
+	    (owner_type & GIT_PATH_USER_IS_ADMINISTRATOR) != 0 &&
+	    CheckTokenMembership(NULL, owner_sid, &is_admin) &&
+	    is_admin) {
+		*out = true;
 		goto done;
+	}
 
-	*out = EqualSid(owner_sid, user_sid);
-	error = 0;
+	*out = false;
 
 done:
 	git__free(owner_sid);
@@ -2195,12 +2173,36 @@ done:
 
 #else
 
-static int path_owner_is(bool *out, const char *path, uid_t *uids, size_t uids_len)
+static int sudo_uid_lookup(uid_t *out)
+{
+	git_buf uid_str = GIT_BUF_INIT;
+	int64_t uid;
+	int error;
+
+	if ((error = git__getenv(&uid_str, "SUDO_UID")) == 0 &&
+	    (error = git__strntol64(&uid, uid_str.ptr, uid_str.size, NULL, 10)) == 0 &&
+	    uid == (int64_t)((uid_t)uid)) {
+		*out = (uid_t)uid;
+	}
+
+	git_buf_dispose(&uid_str);
+	return error;
+}
+
+int git_path_owner_is(
+	bool *out,
+	const char *path,
+	git_path_owner_t owner_type)
 {
 	struct stat st;
-	size_t i;
+	uid_t euid, sudo_uid;
 
-	*out = false;
+	if (mock_owner) {
+		*out = ((mock_owner & owner_type) != 0);
+		return 0;
+	}
+
+	euid = geteuid();
 
 	if (p_lstat(path, &st) != 0) {
 		if (errno == ENOENT)
@@ -2210,51 +2212,38 @@ static int path_owner_is(bool *out, const char *path, uid_t *uids, size_t uids_l
 		return -1;
 	}
 
-	for (i = 0; i < uids_len; i++) {
-		if (uids[i] == st.st_uid) {
-			*out = true;
-			break;
-		}
+	if ((owner_type & GIT_PATH_OWNER_CURRENT_USER) != 0 &&
+	    st.st_uid == euid) {
+		*out = true;
+		return 0;
 	}
 
-	return 0;
-}
-
-int git_path_owner_is_current_user(bool *out, const char *path)
-{
-	uid_t userid = geteuid();
-
-	if (mock_owner) {
-		*out = (mock_owner == GIT_PATH_MOCK_OWNER_CURRENT_USER);
+	if ((owner_type & GIT_PATH_OWNER_ADMINISTRATOR) != 0 &&
+	    st.st_uid == 0) {
+		*out = true;
 		return 0;
 	}
 
-	return path_owner_is(out, path, &userid, 1);
-}
-
-int git_path_owner_is_system(bool *out, const char *path)
-{
-	uid_t userid = 0;
-
-	if (mock_owner) {
-		*out = (mock_owner == GIT_PATH_MOCK_OWNER_SYSTEM);
+	if ((owner_type & GIT_PATH_OWNER_RUNNING_SUDO) != 0 &&
+	    euid == 0 &&
+	    sudo_uid_lookup(&sudo_uid) == 0 &&
+	    st.st_uid == sudo_uid) {
+		*out = true;
 		return 0;
 	}
 
-	return path_owner_is(out, path, &userid, 1);
+	*out = false;
+	return 0;
 }
 
-int git_path_owner_is_system_or_current_user(bool *out, const char *path)
-{
-	uid_t userids[2] = { geteuid(), 0 };
-
-	if (mock_owner) {
-		*out = (mock_owner == GIT_PATH_MOCK_OWNER_SYSTEM ||
-		        mock_owner == GIT_PATH_MOCK_OWNER_CURRENT_USER);
-		return 0;
-	}
+#endif
 
-	return path_owner_is(out, path, userids, 2);
+int git_path_owner_is_current_user(bool *out, const char *path)
+{
+	return git_path_owner_is(out, path, GIT_PATH_OWNER_CURRENT_USER);
 }
 
-#endif
+int git_path_owner_is_system(bool *out, const char *path)
+{
+	return git_path_owner_is(out, path, GIT_PATH_OWNER_ADMINISTRATOR);
+}

data/vendor/libgit2/src/path.h

@@ -723,18 +723,42 @@ int git_path_normalize_slashes(git_buf *out, const char *path);
 bool git_path_supports_symlinks(const char *dir);
 
 typedef enum {
-	GIT_PATH_MOCK_OWNER_NONE = 0, /* do filesystem lookups as normal */
-	GIT_PATH_MOCK_OWNER_SYSTEM = 1,
-	GIT_PATH_MOCK_OWNER_CURRENT_USER = 2,
-	GIT_PATH_MOCK_OWNER_OTHER = 3
-} git_path__mock_owner_t;
+	GIT_PATH_OWNER_NONE = 0,
+
+	/** The file must be owned by the current user. */
+	GIT_PATH_OWNER_CURRENT_USER = (1 << 0),
+
+	/** The file must be owned by the system account. */
+	GIT_PATH_OWNER_ADMINISTRATOR = (1 << 1),
+
+	/**
+	 * The file may be owned by a system account if the current
+	 * user is in an administrator group. Windows only; this is
+	 * a noop on non-Windows systems.
+	 */
+	GIT_PATH_USER_IS_ADMINISTRATOR = (1 << 2),
+
+	/**
+	 * The file is owned by the current user, who is running `sudo`.
+	 */
+	GIT_PATH_OWNER_RUNNING_SUDO = (1 << 3),
+
+	/** The file may be owned by another user. */
+	GIT_PATH_OWNER_OTHER = (1 << 4)
+} git_path_owner_t;
 
 /**
  * Sets the mock ownership for files; subsequent calls to
- * `git_path_owner_is_*` functions will return this data until cleared
- * with `GIT_PATH_MOCK_OWNER_NONE`.
+ * `git_path_owner_is_*` functions will return this data until
+ * cleared with `GIT_FS_PATH_OWNER_NONE`.
  */
-void git_path__set_owner(git_path__mock_owner_t owner);
+void git_path__set_owner(git_path_owner_t owner);
+
+/** Verify that the file in question is owned by the given owner. */
+int git_path_owner_is(
+	bool *out,
+	const char *path,
+	git_path_owner_t owner_type);
 
 /**
  * Verify that the file in question is owned by an administrator or system
@@ -748,10 +772,4 @@ int git_path_owner_is_system(bool *out, const char *path);
 
 int git_path_owner_is_current_user(bool *out, const char *path);
 
-/**
- * Verify that the file in question is owned by an administrator or system
- * account _or_ the current user;
- */
-int git_path_owner_is_system_or_current_user(bool *out, const char *path);
-
 #endif

data/vendor/libgit2/src/repository.c

@@ -487,7 +487,7 @@ static int read_gitfile(git_buf *path_out, const char *file_path)
 typedef struct {
 	const char *repo_path;
 	git_buf tmp;
-	bool is_safe;
+	bool *is_safe;
 } validate_ownership_data;
 
 static int validate_ownership_cb(const git_config_entry *entry, void *payload)
@@ -495,49 +495,102 @@ static int validate_ownership_cb(const git_config_entry *entry, void *payload)
 	validate_ownership_data *data = payload;
 
 	if (strcmp(entry->value, "") == 0)
-		data->is_safe = false;
+		*data->is_safe = false;
 
 	if (git_path_prettify_dir(&data->tmp, entry->value, NULL) == 0 &&
 	    strcmp(data->tmp.ptr, data->repo_path) == 0)
-		data->is_safe = true;
+		*data->is_safe = true;
 
 	return 0;
 }
 
-static int validate_ownership(const char *repo_path)
+static int validate_ownership_config(bool *is_safe, const char *path)
 {
-	git_config *config = NULL;
-	validate_ownership_data data = { repo_path, GIT_BUF_INIT, false };
-	bool is_safe;
+	validate_ownership_data ownership_data = {
+		path, GIT_BUF_INIT, is_safe
+	};
+	git_config *config;
 	int error;
 
-	if ((error = git_path_owner_is_current_user(&is_safe, repo_path)) < 0) {
-		if (error == GIT_ENOTFOUND)
-			error = 0;
+	if (load_global_config(&config) != 0)
+		return 0;
 
-		goto done;
-	}
+	error = git_config_get_multivar_foreach(config,
+		"safe.directory", NULL,
+		validate_ownership_cb,
+		&ownership_data);
+
+	git_config_free(config);
+	git_buf_dispose(&ownership_data.tmp);
+
+	return error;
+}
+
+static int validate_ownership_path(bool *is_safe, const char *path)
+{
+	git_path_owner_t owner_level =
+		GIT_PATH_OWNER_CURRENT_USER |
+		GIT_PATH_USER_IS_ADMINISTRATOR |
+		GIT_PATH_OWNER_RUNNING_SUDO;
+	int error = 0;
 
-	if (is_safe) {
+	if (path)
+		error = git_path_owner_is(is_safe, path, owner_level);
+
+	if (error == GIT_ENOTFOUND) {
+		*is_safe = true;
 		error = 0;
-		goto done;
 	}
 
-	if (load_global_config(&config) == 0) {
-		error = git_config_get_multivar_foreach(config, "safe.directory", NULL, validate_ownership_cb, &data);
+	return error;
+}
+
+static int validate_ownership(git_repository *repo)
+{
+	const char *validation_paths[3] = { NULL }, *path;
+	size_t validation_len = 0, i;
+	bool is_safe = false;
+	int error = 0;
+
+	/*
+	 * If there's a worktree, validate the permissions to it *and*
+	 * the git directory, and use the worktree as the configuration
+	 * key for allowlisting the directory. In a bare setup, only
+	 * look at the gitdir and use that as the allowlist. So we
+	 * examine all `validation_paths` but use only the first as
+	 * the configuration lookup.
+	 */
+
+	if (repo->workdir)
+		validation_paths[validation_len++] = repo->workdir;
+
+	if (repo->gitlink)
+		validation_paths[validation_len++] = repo->gitlink;
 
-		if (!error && data.is_safe)
+	validation_paths[validation_len++] = repo->gitdir;
+
+	for (i = 0; i < validation_len; i++) {
+		path = validation_paths[i];
+
+		if ((error = validate_ownership_path(&is_safe, path)) < 0)
 			goto done;
+
+		if (!is_safe)
+			break;
 	}
 
-	git_error_set(GIT_ERROR_CONFIG,
-		"repository path '%s' is not owned by current user",
-		repo_path);
-	error = GIT_EOWNER;
+	if (is_safe ||
+	    (error = validate_ownership_config(&is_safe, validation_paths[0])) < 0)
+		goto done;
+
+	if (!is_safe) {
+		git_error_set(GIT_ERROR_CONFIG,
+			"repository path '%s' is not owned by current user",
+			path);
+		error = GIT_EOWNER;
+	}
 
 done:
-	git_config_free(config);
-	git_buf_dispose(&data.tmp);
 	return error;
 }
 
@@ -914,7 +967,6 @@ int git_repository_open_ext(
 		gitlink = GIT_BUF_INIT, commondir = GIT_BUF_INIT;
 	git_repository *repo = NULL;
 	git_config *config = NULL;
-	const char *validation_path;
 	int version = 0;
 
 	if (flags & GIT_REPOSITORY_OPEN_FROM_ENV)
@@ -973,12 +1025,11 @@ int git_repository_open_ext(
 	}
 
 	/*
-	 * Ensure that the git directory is owned by the current user.
+	 * Ensure that the git directory and worktree are
+	 * owned by the current user.
 	 */
-	validation_path = repo->is_bare ? repo->gitdir : repo->workdir;
-
 	if (git_repository__validate_ownership &&
-	    (error = validate_ownership(validation_path)) < 0)
+	    (error = validate_ownership(repo)) < 0)
 		goto cleanup;
 
 cleanup:

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rugged
 version: !ruby/object:Gem::Version
-  version: 1.3.2.1
+  version: 1.3.2.3
 platform: ruby
 authors:
 - Scott Chacon
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-04-16 00:00:00.000000000 Z
+date: 2022-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
@@ -697,7 +697,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Rugged is a Ruby binding to the libgit2 linkable library