Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for safe.bareRepository explicit Git config #11855

Open
swissspidy opened this issue Feb 16, 2024 · 8 comments
Open

Support for safe.bareRepository explicit Git config #11855

swissspidy opened this issue Feb 16, 2024 · 8 comments
Labels
Bug
Milestone
2.7

Comments

@swissspidy
Copy link

Context: https://github.com/justinsteven/advisories/blob/main/2022_git_buried_bare_repos_and_fsmonitor_various_abuses.md

Git introduced a safe.bareRepository configuration variable that allows users to forbid discovery of bare repositories by setting it to "explicit".

This happens to be the case on my system, which means Composer can't update dependencies anymore because it does use bare repositories.

To support this more strict setting, all Git commands executed by Composer would need to be run with --git-dir or the GIT_DIR environment variable. For example, git status will become either GIT_DIR=/path/to/my/repo git status or git --git-dir=/path/to/my/repo status

Is this something you would consider improving in Composer itself so that people using more strict Git settings can continue using Composer?

A temporary workaround right now is for me to disable this safe.bareRepository setting, but the corp system administrators would be not happy about that :-)

Here's an example error output of the update failing for me right now (from composer update -vvv):

Executing command (CWD): git clone --mirror -- 'https://github.com/ampproject/amp-wp' '/Users/pascalb/Library/Caches/composer/vcs/https---github.com-ampproject-amp-wp/'

...

Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-ampproject-amp-wp/): git remote set-url origin -- 'https://***:***@github.com/ampproject/amp-wp.git' && git remote show origin && git remote set-url origin -- 'https://github.com/ampproject/amp-wp.git'
Executing command (CWD): git --version
Failed to fetch root identifier from remote: Failed to execute git remote set-url origin -- 'https://ghp...CSG:x-oauth-basic@github.com/ampproject/amp-wp.git' && git remote show origin && git remote set-url origin -- 'https://github.com/ampproject/amp-wp.git'

fatal: cannot use bare repository '/Users/pascalb/Library/Caches/composer/vcs/https---github.com-ampproject-amp-wp' (safe.bareRepository is 'explicit')

...

Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-ampproject-amp-wp/): git show 'master':'composer.json'

In VcsRepository.php line 420:
                                                                                                                                    
  [Composer\Repository\InvalidRepositoryException]                                                                                  
  No valid composer.json was found in any branch or tag of https://github.com/ampproject/amp-wp, could not load a package from it.
@Seldaek
Copy link
Member

Seldaek commented Feb 22, 2024

Sounds reasonable, and shouldn't be too hard to switch from cwd to cwd + GIT_DIR env, which would also be BC for old git clients that may(?) not support the env var.

@Seldaek Seldaek added this to the 2.7 milestone Feb 22, 2024
@Seldaek Seldaek added the Bug label Feb 22, 2024
@krzysztof-ciszewski
Copy link
Contributor

@Seldaek Unfortunately on Windows this will not work, so we need to use the --git-dir argument. I think that arg was added in 2005 so I don't think we need to worry about BC

@krzysztof-ciszewski
Copy link
Contributor

@swissspidy could you provide an example composer.json to reproduce this issue? I'm strugging to reproduce it myself.

@swissspidy
Copy link
Author

Sure!

I think it requires a repositories config and loading a dependency from that repository. Example:

{
    "name": "swissspidy/test",
    "require": {
        "swissspidy/media-experiments": "dev-main"
    },
    "repositories": [
        {
          "type": "vcs",
          "url": "https://github.com/swissspidy/media-experiments",
          "no-api": true
        }
    ]
}

@krzysztof-ciszewski
Copy link
Contributor

@swissspidy Still could not recreate the issue, my git is up to date, my safe.bareRepository is set to explicit. I tried regular composer install and it was successful. Then I pointed to package version to older commit and ran update - it went fine. After that I pointed at the newest commit and ran update once again it worked fine. Could you check if you have that issue with the composer.json you posted? Also please provide your git version and composer version.

@swissspidy
Copy link
Author

Hmm that's strange 🤔

I used that composer.json and ran composer update (no prior composer install) and the issue apepared right away.

Composer version 2.7.6 2024-05-04 23:03:15
PHP version 8.3.6
git version 2.45.0.rc1.225.g2a3ae87e7f-goog

From .gitconfig:

[url "git@github.com:"]
	pushInsteadOf = "https://github.com/"

[url "https://github.com/"]
	pullInsteadOf = "git@github.com":

[safe]
	bareRepository = explicit

When I run composer update -vvv:

Details 
$ composer update -vvv
Running 2.7.6 (2024-05-04 23:03:15) with PHP 8.3.6 on Darwin / 23.4.0
Reading ./composer.json (/private/tmp/composer-test/composer.json)
Loading config file /Users/pascalb/.composer/config.json
Loading config file /Users/pascalb/.composer/auth.json
Loading config file ./composer.json (/private/tmp/composer-test/composer.json)
Checked CA file /Users/pascalb/Workspace/GitHub/emsdk/python/3.9.2_64bit/lib/python3.9/site-packages/certifi/cacert.pem: valid
Executing command (/private/tmp/composer-test): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/private/tmp/composer-test): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/private/tmp/composer-test): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/private/tmp/composer-test): hg branch
Executing command (/private/tmp/composer-test): fossil branch list
Executing command (/private/tmp/composer-test): fossil tag list
Executing command (/private/tmp/composer-test): svn info --xml
Composer could not detect the root package (swissspidy/test) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version
Running cache garbage collection
Reading /Users/pascalb/.composer/composer.json (/Users/pascalb/dotfiles/composer/.composer/composer.json)
Loading config file /Users/pascalb/.composer/config.json
Loading config file /Users/pascalb/.composer/auth.json
Loading config file /Users/pascalb/.composer/composer.json (/Users/pascalb/dotfiles/composer/.composer/composer.json)
Reading /Users/pascalb/.composer/vendor/composer/installed.json
Loading plugin Ergebnis\Composer\Normalize\NormalizePlugin (from ergebnis/composer-normalize, installed globally)
Loading composer repositories with package information
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git rev-parse --git-dir
Executing command (CWD): git clone --mirror -- 'https://github.com/swissspidy/media-experiments' '/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/'
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git show-ref --tags --dereference
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git branch --no-color --no-abbrev -v
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git remote -v
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git remote set-url origin -- 'https://github.com/swissspidy/media-experiments' && git remote show origin && git remote set-url origin -- 'https://github.com/swissspidy/media-experiments'
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git remote set-url origin -- 'git@github.com:swissspidy/media-experiments' && git remote show origin && git remote set-url origin -- 'git@github.com:swissspidy/media-experiments'
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git remote set-url origin -- 'https://github.com/swissspidy/media-experiments' && git remote show origin && git remote set-url origin -- 'https://github.com/swissspidy/media-experiments'
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git remote set-url origin -- 'https://***:***@github.com/swissspidy/media-experiments.git' && git remote show origin && git remote set-url origin -- 'https://github.com/swissspidy/media-experiments.git'
Executing command (CWD): git --version
Failed to fetch root identifier from remote: Failed to execute git remote set-url origin -- 'https://ghp...CSG:x-oauth-basic@github.com/swissspidy/media-experiments.git' && git remote show origin && git remote set-url origin -- 'https://github.com/swissspidy/media-experiments.git'

fatal: cannot use bare repository '/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments' (safe.bareRepository is 'explicit')

Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git branch --no-color
Executing command (/Users/pascalb/Library/Caches/composer/vcs/https---github.com-swissspidy-media-experiments/): git show 'master':'composer.json'

In VcsRepository.php line 420:
                                                                                                                                               
  [Composer\Repository\InvalidRepositoryException]                                                                                             
  No valid composer.json was found in any branch or tag of https://github.com/swissspidy/media-experiments, could not load a package from it.  
                                                                                                                                               

Exception trace:
  at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Repository/VcsRepository.php:420
 Composer\Repository\VcsRepository->initialize() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Repository/ArrayRepository.php:308
 Composer\Repository\ArrayRepository->getPackages() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Repository/ArrayRepository.php:62
 Composer\Repository\ArrayRepository->loadPackages() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/DependencyResolver/PoolBuilder.php:425
 Composer\DependencyResolver\PoolBuilder->loadPackagesMarkedForLoading() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/DependencyResolver/PoolBuilder.php:275
 Composer\DependencyResolver\PoolBuilder->buildPool() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Repository/RepositorySet.php:331
 Composer\Repository\RepositorySet->createPool() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Installer.php:501
 Composer\Installer->doUpdate() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Installer.php:298
 Composer\Installer->run() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Command/UpdateCommand.php:251
 Composer\Command\UpdateCommand->execute() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/vendor/symfony/console/Command/Command.php:298
 Symfony\Component\Console\Command\Command->run() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/vendor/symfony/console/Application.php:1040
 Symfony\Component\Console\Application->doRunCommand() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/vendor/symfony/console/Application.php:301
 Symfony\Component\Console\Application->doRun() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Console/Application.php:394
 Composer\Console\Application->doRun() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/vendor/symfony/console/Application.php:171
 Symfony\Component\Console\Application->run() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/src/Composer/Console/Application.php:148
 Composer\Console\Application->run() at phar:///opt/homebrew/Cellar/composer/2.7.2/bin/composer/bin/composer:93
 require() at /opt/homebrew/Cellar/composer/2.7.2/bin/composer:29

krzysztof-ciszewski added a commit to krzysztof-ciszewski/composer that referenced this issue May 7, 2024
@krzysztof-ciszewski
composer#11855 fix: potentially fix bareRepository error
eb60b0f
@krzysztof-ciszewski
Copy link
Contributor

I still could not reproduce, but I created a potential fix. If you can clone my fork, first run global composer install and then run the one from repo: ./bin/composer in your composer.json example.

@swissspidy
Copy link
Author

Hmm so is the intention with tha fix to only set GIT_DIR when the current working directory is a Git repo, or when the current command is a Git command? Because is_int(stripos($cwd, 'git ')) (see the space after git) seems to indicate the latter, but then it would need to use $command.

Plus, bare repos do not have a .git directory, so GIT_DIR just needs to be set to the rep directory itself I think. See the advisory I lined to in my original post.

This works for me:

if ($cwd && is_string($command) && is_int(stripos($command, 'git '))) {
    $env = ['GIT_DIR' => $cwd];
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
2.7
Development

No branches or pull requests
3 participants
@Seldaek @swissspidy @krzysztof-ciszewski