lunny/git-lfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #5611 from chrisd8088/disable-ci-win-path-check

Browse Source 
t/t-path.sh: avoid flaky test setup failure on Windows due to new Go path security checks
This commit is contained in:
Chris Darroch 2024-01-10 08:11:37 -08:00 committed by GitHub
commit b405a97c82
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
t/t-path.sh
View File

@ -52,8 +52,35 @@ begin_test "does not look in current directory for git with credential helper"
# below when we are populating LFS objects into a clone of this repo
# (which contains the malicious Git), so for now we remove the malicious
# Git as soon as possible.
#
# As of Go 1.19 we also need to specify the GODEBUG environment variable
# with a value of "execerrdot=0" in order to avoid occasional failures
# our "git add" command below. These failures occur due to a specific
# set of conditions. First, if the last-modified time of the .git/index
# file is within a second of that of z.dat, the "git add" command will
# refresh the Git index (assuming Git was compiled with USE_NSEC=0, as
# appears to be the case for Git for Windows), and Git LFS will be invoked
# to "clean" the z.dat file again.
#
# If that occurs, then when Git LFS runs it looks for Git, and until we
# revise Git LFS to rely on Go's os/exec package to not execute programs
# found in the current working directory (as described in
# https://go.dev/blog/path-security), the os/exec package will detect our
# malicious Git program in the current working directory and report an
# error. This occurs when Git LFS first initializes a new exec.Cmd
# structure, even though Git LFS would then locate the true Git executable
# from our custom PATH and reset the Path member of the Cmd structure
# before trying to execute the program.
#
# Since we explicitly test Git LFS's avoidance of programs in the current
# working directory using the "git-lfs pull" command further below, here
# we just want "git add" to succeed, and so for the time being we disable
# Go's new security checks for this command only. We will revisit this
# when we address the larger issue of re-adopting Go's own logic for
# locating executable programs.
cp "$BINPATH/lfstest-badpathcheck$X" "git$X"
PATH="$BINPATH:$GITPATH:$SHELLPATH" "$GITPATH/git$X" add "git$X"
GODEBUG=execerrdot=0 \
PATH="$BINPATH:$GITPATH:$SHELLPATH" "$GITPATH/git$X" add "git$X"
rm "git$X"
git commit -m "Add files"