Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bundler does not work with git config "safe.bareRepository=explicit" #7515

Open
akefeli opened this issue Mar 15, 2024 · 3 comments
Open

Bundler does not work with git config "safe.bareRepository=explicit" #7515

akefeli opened this issue Mar 15, 2024 · 3 comments
Labels
Bundler

Comments

@akefeli
Copy link

akefeli commented Mar 15, 2024

Describe the problem as clearly as you can

We have a security policy that sets the safe.bareRepository flag to explicit due to this exploit.
When it is set to explicit, bundler does not work with git gems. Bundler clones the repo fine, but none of the subsequent git commands work because it is a bare repo.

According to this doc, you can specify a GIT_DIR env to explicitly state the repository; however when I tried to pass that to GIT_DIR=<path to cloned repo> bundle install, I kept getting the same error. But this requires knowing the repository path ahead of time, I was only able to pass this because I had already cached the repo. Another option is passing the path via --git-dir.

Maybe bundler can explicitly pass the --git-dir for its git subcommands? Or is there a way to tell the bundler to clone the repo in "non-bare" form?

Did you try upgrading rubygems & bundler?

Both are latest

Post steps to reproduce the problem

git config --global --add safe.bareRepository explicit

# Add any github gem with `git` url
bundler add pdf-core --git https://github.com/prawnpdf/pdf-core

Fetching https://github.com/prawnpdf/pdf-core
fatal: cannot use bare repository '/usr/local/X/home/Y/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/cache/bundler/git/pdf-core-b72ffa5889bfc3d60ca579f17b4362d72473a979' (safe.bareRepository is 'explicit')

If not included with the output of your command, run bundle env and paste the output below

Bundler       2.5.6
  Platforms   ruby, x86_64-linux
Ruby          3.2.1p31 (2023-02-08 revision 31819e82c88c6f8ecfaeb162519bfa26a14b21fd) [x86_64-linux]

RubyGems      3.5.6

Tools         
  Git         2.44.0
  RVM         not installed
  rbenv       rbenv 1.1.2
  chruby      not installed
@deivid-rodriguez
Copy link
Member

Hi, thanks for letting us know!

I think explicitly passing --git-dir to git subcommands that run on bare repos may work. Care to give it a try?

@akefeli
Copy link
Author

akefeli commented Mar 19, 2024

Hi, thanks for letting us know!

I think explicitly passing --git-dir to git subcommands that run on bare repos may work. Care to give it a try?

It does work when I manually run it. But I'm not sure how to make the bundler pass those arguments?

@deivid-rodriguez
Copy link
Member

You'd want to look into git_proxy.rb, which is where Bundler interacts with the git client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bundler
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deivid-rodriguez @akefeli