Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add note to submodules kata about security workaround #366

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add note to submodules kata about security workaround #366

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6425843
Add note to submodules kata about security workaround
JKrag Apr 26, 2024
b61c91c
Update submodules/README.md
JKrag Apr 26, 2024
14810d5
Update submodules/README.md
JKrag Apr 26, 2024
5579118
Merge branch 'master' into JKrag/submodule-security-note
JKrag Aug 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion submodules/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,17 @@ This allows you to grab source changes directly, as well as _pushing_ them back.

## Setup

> NOTE:
> Unfortunately for us, 2.38.1 introduces a change (due to CVE-2022-39253) that disables git submodule add using the file protocol.
> as the setup script for this exercise relies on cloning a local repository, it will only work if you specifically allow this before running the script.
> `git config --global protocol.file.allow always`
>
> If you want to remove this "opening" afterward, you should wait until you are done with the whole exercise, and then run:
> `git config --global --unset protocol.file.allow`
Comment on lines +8 to +14
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve the addition of the Git security workaround note.

The note clearly explains the necessary steps to adjust Git configuration due to the new security restriction. However, consider adding a warning about the potential security implications of enabling the protocol.file.allow setting globally.

Consider adding the following warning for clarity and safety:

+> WARNING: Enabling `protocol.file.allow` globally can expose your system to security risks. Only enable this setting when necessary and ensure to revert it as described.
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
> NOTE:
> Unfortunately for us, 2.38.1 introduces a change (due to CVE-2022-39253) that disables git submodule add using the file protocol.
> as the setup script for this exercise relies on cloning a local repository, it will only work if you specifically allow this before running the script.
> `git config --global protocol.file.allow always`
>
> If you want to remove this "opening" afterward, you should wait until you are done with the whole exercise, and then run:
> `git config --global --unset protocol.file.allow`
> NOTE:
> Unfortunately for us, 2.38.1 introduces a change (due to CVE-2022-39253) that disables git submodule add using the file protocol.
> as the setup script for this exercise relies on cloning a local repository, it will only work if you specifically allow this before running the script.
> `git config --global protocol.file.allow always`
>
+> WARNING: Enabling `protocol.file.allow` globally can expose your system to security risks. Only enable this setting when necessary and ensure to revert it as described.
>
> If you want to remove this "opening" afterward, you should wait until you are done with the whole exercise, and then run:
> `git config --global --unset protocol.file.allow`


1. Run `source setup.sh` (or `.\setup.ps1` in PowerShell)

> NOTE: If running setup.sh on windows, you can run into problems by sourcing the setup script. Instead, run `./setup.sh`, and the folders would be created correctly.
> NOTE: If running setup.sh on Windows, you can run into problems by sourcing the setup script. Instead, run `./setup.sh`, and the folders would be created correctly.

## The task

Expand Down
Loading