testcfg: Fix building binaries as unprivileged user with Go 1.18+ (!4689) · Merge requests · GitLab.org / gitaly

Patrick Steinhardt requested to merge pks-ci-fix-unprivileged-building-of-binaries-go-1.18 into master Jul 07, 2022

Our CI pipelines execute tests as unprivileged user so that we can verify that all tests pass without any additional capabilities and that tests don't write any data into the source tree. This broke for our nightly jobs though with the recent update to Go 1.18 because we now fail to build the auxiliary Go binaries.

The root cause is a combination of two things:

- Go 1.18 started to query the repository for VCS information so
  that it can embed that information into the resulting Go binaries.

- Git has addressed CVE-2022-24765 and won't open repositories by
  default anymore that aren't owned by the current user.

So when testing with recent Go and Git versions as unprivileged user then Go will try to extract the VCS information, but Git will refuse to operate.

Fix this by declaring the source directory as "safe". While this is not necessarily the case, it doesn't compromise our security any more than before: if an adversary was able to write to the .git/config file, then the very same adversary would also able to just touch up the source code of Gitaly itself. So that adversary could obtain arbitrary code execution by just changing whatever is executed as part of our tests.

testcfg: Fix building binaries as unprivileged user with Go 1.18+

Merge request reports