1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b
Author: Robbert van Ginkel <rvanginkel@buf.build>
Date: Thu Oct 20 16:43:28 2022 -0400
Fix git unit test by using fake git server rather than file:// (#1518)
More recent versions of git fix a CVE by disabling some usage of the
`file://` transport, see
https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253.
We were using this transport in tests.
Instead, use https://git-scm.com/docs/git-http-backend to serve up this
repository locally so we don't have to use the file protocol. This
should be a more accurate tests, since we mostly expect submodules to
come from servers.
diff --git a/.golangci.yml b/.golangci.yml
index 318d1171..865e03e7 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -136,3 +136,8 @@ issues:
- linters:
- containedctx
path: private/bufpkg/bufmodule/bufmoduleprotocompile
+ # We should be able to use net/http/cgi in a unit test, in addition the CVE mentions only versions of go < 1.6.3 are affected.
+ - linters:
+ - gosec
+ path: private/pkg/git/git_test.go
+ text: "G504:"
diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go
index 7b77b6cd..7132054e 100644
--- a/private/pkg/git/git_test.go
+++ b/private/pkg/git/git_test.go
@@ -17,6 +17,8 @@ package git
import (
"context"
"errors"
+ "net/http/cgi"
+ "net/http/httptest"
"os"
"os/exec"
"path/filepath"
@@ -213,6 +215,21 @@ func createGitDirs(
runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto")
runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0")
+ gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path")
+ require.NoError(t, err)
+ t.Log(filepath.Join(string(gitExecPath), "git-http-backend"))
+ // https://git-scm.com/docs/git-http-backend#_description
+ f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok"))
+ require.NoError(t, err)
+ require.NoError(t, f.Close())
+ server := httptest.NewServer(&cgi.Handler{
+ Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"),
+ Dir: submodulePath,
+ Env: []string{"GIT_PROJECT_ROOT=" + submodulePath},
+ })
+ t.Cleanup(server.Close)
+ submodulePath = server.URL
+
originPath := filepath.Join(tmpDir, "origin")
require.NoError(t, os.MkdirAll(originPath, 0777))
runCommand(ctx, t, container, runner, "git", "-C", originPath, "init")
|