Permission controlled access to xdg config (#301)

Author: Byron

Cargo.lock

@@ -60,7 +60,7 @@ git-ref = { version = "^0.12.1", path = "../git-ref" }
 git-tempfile = { version = "^2.0.0", path = "../git-tempfile" }
 git-lock = { version = "^2.0.0", path = "../git-lock" }
 git-validate = { version ="^0.5.3", path = "../git-validate" }
-git-sec = { version = "^0.1.0", path = "../git-sec" }
+git-sec = { version = "^0.1.0", path = "../git-sec", features = ["thiserror"] }
 
 git-config = { version = "^0.2.1", path = "../git-config" }
 git-odb = { version = "^0.28.0", path = "../git-odb" }

git-repository/Cargo.toml

@@ -1,4 +1,5 @@
 use crate::bstr::BString;
+use crate::permission::EnvVarResourcePermission;
 
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
@@ -34,11 +35,16 @@ pub(crate) struct Cache {
     pub ignore_case: bool,
     /// The path to the user-level excludes file to ignore certain files in the worktree.
     pub excludes_file: Option<std::path::PathBuf>,
+    /// Define how we can use values obtained with `xdg_config(…)` and its `XDG_CONFIG_HOME` variable.
+    xdg_config_home_env: EnvVarResourcePermission,
+    /// Define how we can use values obtained with `xdg_config(…)`. and its `HOME` variable.
+    home_env: EnvVarResourcePermission,
     // TODO: make core.precomposeUnicode available as well.
 }
 
 mod cache {
     use std::convert::TryFrom;
+    use std::path::PathBuf;
 
     use git_config::{
         file::GitConfig,
@@ -47,9 +53,15 @@ mod cache {
 
     use super::{Cache, Error};
     use crate::bstr::ByteSlice;
+    use crate::permission::EnvVarResourcePermission;
 
     impl Cache {
-        pub fn new(git_dir: &std::path::Path, git_install_dir: Option<&std::path::Path>) -> Result<Self, Error> {
+        pub fn new(
+            git_dir: &std::path::Path,
+            xdg_config_home_env: EnvVarResourcePermission,
+            home_env: EnvVarResourcePermission,
+            git_install_dir: Option<&std::path::Path>,
+        ) -> Result<Self, Error> {
             let config = GitConfig::open(git_dir.join("config"))?;
 
             let is_bare = config_bool(&config, "core.bare", false)?;
@@ -117,8 +129,26 @@ mod cache {
                 ignore_case,
                 hex_len,
                 excludes_file,
+                xdg_config_home_env,
+                home_env,
             })
         }
+
+        /// Return a path by using the `$XDF_CONFIG_HOME` or `$HOME/.config/…` environment variables locations.
+        pub fn xdg_config_path(
+            &self,
+            resource_file_name: &str,
+        ) -> Result<Option<PathBuf>, git_sec::permission::Error<PathBuf, git_sec::Permission>> {
+            std::env::var_os("XDG_CONFIG_HOME")
+                .map(|path| (path, &self.xdg_config_home_env))
+                .or_else(|| std::env::var_os("HOME").map(|path| (path, &self.home_env)))
+                .map(|(base, permission)| {
+                    let resource = std::path::PathBuf::from(base).join("git").join(resource_file_name);
+                    permission.check(resource).transpose()
+                })
+                .flatten()
+                .transpose()
+        }
     }
 
     fn config_bool(config: &GitConfig<'_>, key: &str, default: bool) -> Result<bool, Error> {

git-repository/src/config.rs

@@ -204,7 +204,6 @@ pub mod id;
 pub mod object;
 pub mod reference;
 mod repository;
-pub use repository::{permissions, permissions::Permissions};
 pub mod tag;
 
 /// The kind of `Repository`
@@ -243,6 +242,16 @@ pub fn open(directory: impl Into<std::path::PathBuf>) -> Result<crate::Repositor
     ThreadSafeRepository::open(directory).map(Into::into)
 }
 
+///
+pub mod permission {
+    use git_sec::permission::Resource;
+    use git_sec::Access;
+
+    /// A permission to control access to the resource pointed to an environment variable.
+    pub type EnvVarResourcePermission = Access<Resource, git_sec::Permission>;
+}
+pub use repository::permissions::Permissions;
+
 ///
 pub mod open;
 

git-repository/src/lib.rs

@@ -153,18 +153,28 @@ impl crate::ThreadSafeRepository {
         Options {
             object_store_slots,
             replacement_objects,
-            permissions,
+            permissions:
+                Permissions {
+                    git_dir: git_dir_perm,
+                    xdg_config_home,
+                    home,
+                },
         }: Options,
     ) -> Result<Self, Error> {
-        if *permissions.git_dir != git_sec::ReadWrite::all() {
+        if *git_dir_perm != git_sec::ReadWrite::all() {
             // TODO: respect `save.directory`, which needs more support from git-config to do properly.
             return Err(Error::UnsafeGitDir { path: git_dir });
         }
         // TODO: assure we handle the worktree-dir properly as we can have config per worktree with an extension.
         //       This would be something read in later as have to first check for extensions. Also this means
         //       that each worktree, even if accessible through this instance, has to come in its own Repository instance
         //       as it may have its own configuration. That's fine actually.
-        let config = crate::config::Cache::new(&git_dir, crate::path::install_dir().ok().as_deref())?;
+        let config = crate::config::Cache::new(
+            &git_dir,
+            xdg_config_home,
+            home,
+            crate::path::install_dir().ok().as_deref(),
+        )?;
         match worktree_dir {
             None if !config.is_bare => {
                 worktree_dir = Some(git_dir.parent().expect("parent is always available").to_owned());

git-repository/src/open.rs

@@ -42,7 +42,7 @@ impl crate::Repository {
 mod worktree;
 
 /// Various permissions for parts of git repositories.
-pub mod permissions;
+pub(crate) mod permissions;
 
 mod init;
 

git-repository/src/repository/mod.rs

@@ -1,3 +1,4 @@
+use crate::permission::EnvVarResourcePermission;
 use git_sec::permission::Resource;
 use git_sec::{Access, Trust};
 
@@ -7,6 +8,12 @@ pub struct Permissions {
     ///
     /// Note that a repository won't be usable at all unless read and write permissions are given.
     pub git_dir: Access<Resource, git_sec::ReadWrite>,
+    /// Control whether resources pointed to by `XDG_CONFIG_HOME` can be used when looking up common configuration values.
+    ///
+    /// Note that [`git_sec::Permission::Forbid`] will cause the operation to abort if a resource is set via the XDG config environment.
+    pub xdg_config_home: EnvVarResourcePermission,
+    /// Control if resources pointed to by the
+    pub home: EnvVarResourcePermission,
 }
 
 impl Permissions {
@@ -15,6 +22,8 @@ impl Permissions {
     pub fn strict() -> Self {
         Permissions {
             git_dir: Access::resource(git_sec::ReadWrite::empty()),
+            xdg_config_home: Access::resource(git_sec::Permission::Allow),
+            home: Access::resource(git_sec::Permission::Allow),
         }
     }
 
@@ -26,6 +35,8 @@ impl Permissions {
     pub fn secure() -> Self {
         Permissions {
             git_dir: Access::resource(git_sec::ReadWrite::all()),
+            xdg_config_home: Access::resource(git_sec::Permission::Allow),
+            home: Access::resource(git_sec::Permission::Allow),
         }
     }
 
@@ -34,6 +45,8 @@ impl Permissions {
     pub fn all() -> Self {
         Permissions {
             git_dir: Access::resource(git_sec::ReadWrite::all()),
+            xdg_config_home: Access::resource(git_sec::Permission::Allow),
+            home: Access::resource(git_sec::Permission::Allow),
         }
     }
 }

git-repository/src/repository/permissions.rs

@@ -22,6 +22,22 @@ pub mod open_index {
     }
 }
 
+///
+#[cfg(feature = "git-index")]
+pub mod excludes {
+    use std::path::PathBuf;
+
+    /// The error returned by [`Worktree::excludes()`][crate::Worktree::excludes()].
+    #[derive(Debug, thiserror::Error)]
+    #[allow(missing_docs)]
+    pub enum Error {
+        #[error("Could not read repository exclude.")]
+        Io(#[from] std::io::Error),
+        #[error(transparent)]
+        EnvironmentPermission(#[from] git_sec::permission::Error<PathBuf, git_sec::Permission>),
+    }
+}
+
 /// A structure to make the API more stuctured.
 pub struct Platform<'repo> {
     pub(crate) parent: &'repo Repository,
@@ -45,7 +61,7 @@ impl<'repo> crate::Worktree<'repo> {
         &self,
         index: &'a git_index::State,
         overrides: Option<git_attributes::MatchGroup<git_attributes::Ignore>>,
-    ) -> std::io::Result<git_worktree::fs::Cache<'a>> {
+    ) -> Result<git_worktree::fs::Cache<'a>, excludes::Error> {
         let repo = self.parent;
         let case = repo
             .config
@@ -57,7 +73,13 @@ impl<'repo> crate::Worktree<'repo> {
             overrides.unwrap_or_default(),
             git_attributes::MatchGroup::<git_attributes::Ignore>::from_git_dir(
                 repo.git_dir(),
-                repo.config.excludes_file.clone(), // TODO: read from XDG home and make it controllable how env vars are used via git-sec
+                repo.config
+                    .excludes_file
+                    .as_ref()
+                    .map(|p| Ok(Some(p.to_owned())))
+                    .or_else(|| repo.config.xdg_config_path("ignore").into())
+                    .transpose()?
+                    .flatten(),
                 &mut buf,
             )?,
             None,