change!: remove Permissions::git_dir field entirely.

It was meant to help dealing with bailing out if the git dir isn't
fully trusted, but the way this was done was over-engineered especially
since the read-only permission level wasn't implemented at all.

That function is now performed by a new flag, the `bail_on_untrusted`
which is off by default.

Author: Byron

git-repository/src/open.rs

@@ -68,6 +68,7 @@ pub struct Options {
     pub(crate) git_dir_trust: Option<git_sec::Trust>,
     pub(crate) filter_config_section: Option<fn(&git_config::file::Metadata) -> bool>,
     pub(crate) lossy_config: Option<bool>,
+    pub(crate) bail_if_untrusted: bool,
 }
 
 #[derive(Default, Clone)]
@@ -118,7 +119,6 @@ impl Options {
                     git_prefix: deny,
                 }
             },
-            ..Permissions::default()
         })
     }
 }
@@ -166,6 +166,17 @@ impl Options {
         self
     }
 
+    /// If true, default false, and if the repository's trust level is not `Full`
+    /// (see [`with()`][Self::with()] for more), then the open operation will fail.
+    ///
+    /// Use this to mimic `git`s way of handling untrusted repositories. Note that `gitoxide` solves
+    /// this by not using configuration from untrusted sources and by generally being secured against
+    /// doctored input files which at worst could cause out-of-memory at the time of writing.
+    pub fn bail_if_untrusted(mut self, toggle: bool) -> Self {
+        self.bail_if_untrusted = toggle;
+        self
+    }
+
     /// Set the filter which determines if a configuration section can be used to read values from,
     /// hence it returns true if it is eligible.
     ///
@@ -201,13 +212,15 @@ impl git_sec::trust::DefaultForLevel for Options {
                 git_dir_trust: git_sec::Trust::Full.into(),
                 filter_config_section: Some(config::section::is_trusted),
                 lossy_config: None,
+                bail_if_untrusted: false,
             },
             git_sec::Trust::Reduced => Options {
                 object_store_slots: git_odb::store::init::Slots::Given(32), // limit resource usage
                 replacement_objects: ReplacementObjects::Disable, // don't be tricked into seeing manufactured objects
                 permissions: Permissions::default_for_level(level),
                 git_dir_trust: git_sec::Trust::Reduced.into(),
                 filter_config_section: Some(config::section::is_trusted),
+                bail_if_untrusted: false,
                 lossy_config: None,
             },
         }
@@ -301,12 +314,8 @@ impl ThreadSafeRepository {
             filter_config_section,
             ref replacement_objects,
             lossy_config,
-            permissions:
-                Permissions {
-                    git_dir: ref git_dir_perm,
-                    ref env,
-                    config,
-                },
+            bail_if_untrusted,
+            permissions: Permissions { ref env, config },
         } = options;
         let git_dir_trust = git_dir_trust.expect("trust must be been determined by now");
 
@@ -344,7 +353,7 @@ impl ThreadSafeRepository {
             config,
         )?;
 
-        if **git_dir_perm != git_sec::ReadWrite::all() {
+        if bail_if_untrusted && git_dir_trust != git_sec::Trust::Full {
             check_safe_directories(&git_dir, git_install_dir.as_deref(), home.as_deref(), &config)?;
         }
 

git-repository/src/repository/permissions.rs

@@ -1,14 +1,10 @@
-use git_sec::{permission::Resource, Access, Trust};
+use git_sec::{Access, Trust};
 
 use crate::permission;
 
 /// Permissions associated with various resources of a git repository
 #[derive(Debug, Clone)]
 pub struct Permissions {
-    /// Control how a git-dir can be used.
-    ///
-    /// Note that a repository won't be usable at all unless read and write permissions are given.
-    pub git_dir: Access<Resource, git_sec::ReadWrite>,
     /// Permissions related to the environment
     pub env: Environment,
     /// Permissions related to the handling of git configuration.
@@ -90,7 +86,6 @@ impl Permissions {
     /// thus refusing all operations in it.
     pub fn strict() -> Self {
         Permissions {
-            git_dir: Access::resource(git_sec::ReadWrite::READ),
             env: Environment::all(),
             config: Config::all(),
         }
@@ -103,7 +98,6 @@ impl Permissions {
     /// anything else that could cause us to write into unknown locations or use programs beyond our `PATH`.
     pub fn secure() -> Self {
         Permissions {
-            git_dir: Access::resource(git_sec::ReadWrite::all()),
             env: Environment::all(),
             config: Config::all(),
         }
@@ -113,7 +107,6 @@ impl Permissions {
     /// does with owned repositories.
     pub fn all() -> Self {
         Permissions {
-            git_dir: Access::resource(git_sec::ReadWrite::all()),
             env: Environment::all(),
             config: Config::all(),
         }

git-repository/src/repository/snapshots.rs

@@ -101,7 +101,7 @@ impl crate::Repository {
                 match path.interpolate(git_config::path::interpolate::Context {
                     git_install_dir: Some(install_dir.as_path()),
                     home_dir: home.as_deref(),
-                    home_for_user: if self.options.permissions.git_dir.is_all() {
+                    home_for_user: if self.options.git_dir_trust.expect("trust is set") == git_sec::Trust::Full {
                         Some(git_config::path::interpolate::home_for_user)
                     } else {
                         None