From 0d1a6a4d1fa18ee1048f9794fb497eda1c2b28df Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Sat, 2 Dec 2017 23:19:24 -0800 Subject: [PATCH 1/1] GitInfo: Fix shell restrictions for submodules Submodules have their git directory in the master repository's directory (../.git/modules/). firejail does not allow whitelisted paths to have ".." in them, so use realpath() to get rid of that. `git show` still wants to be able to access the main repository directory though, so we also need to whitelist the $repoDir itself. Bug: T181919 Change-Id: I928df92b47733bc7fbb9c796bcfc1504d4a4598c --- includes/GitInfo.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/includes/GitInfo.php b/includes/GitInfo.php index f170a025f7..fb75c256d6 100644 --- a/includes/GitInfo.php +++ b/includes/GitInfo.php @@ -37,6 +37,11 @@ class GitInfo { */ protected $basedir; + /** + * Location of the repository + */ + protected $repoDir; + /** * Path to JSON cache file for pre-computed git information. */ @@ -58,6 +63,7 @@ class GitInfo { * @see precomputeValues */ public function __construct( $repoDir, $usePrecomputed = true ) { + $this->repoDir = $repoDir; $this->cacheFile = self::getCacheFilePath( $repoDir ); wfDebugLog( 'gitinfo', "Computed cacheFile={$this->cacheFile} for {$repoDir}" @@ -230,10 +236,11 @@ class GitInfo { '--format=format:%ct', 'HEAD', ]; + $gitDir = realpath( $this->basedir ); $result = Shell::command( $cmd ) - ->environment( [ 'GIT_DIR' => $this->basedir ] ) + ->environment( [ 'GIT_DIR' => $gitDir ] ) ->restrict( Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK ) - ->whitelistPaths( [ $this->basedir ] ) + ->whitelistPaths( [ $gitDir, $this->repoDir ] ) ->execute(); if ( $result->getExitCode() === 0 ) { -- 2.20.1