Sanitize git folder after each build

What does this MR do?

Cleans up git folder itself to prevent any kind of poisoning that might happen during the build.

Why was this MR needed?

There are some attack vectors through Git that we want to protect against. By sanitizing the Git directory after each build, we minimize the surface area for attacks.

What's the best way to test this MR?

Running runner built off of main, observe arbitrary code execution happens

Run the following job on any branch in a test project. Be sure to use the shell executor so that it's not an ephemeral build environment.

.gitlab-ci.yml

job:
  script:
    - grep hooksPath .git/config && exit
    - echo "[core]" >> .git/config
    - echo "    hooksPath = $CI_PROJECT_DIR/.git/evil" >> .git/config
    - mkdir -p "$CI_PROJECT_DIR/.git/evil/"
    - echo "#! /bin/sh" >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
    - echo "echo Executed evil code in post-checkout." >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
    - chmod +x "$CI_PROJECT_DIR/.git/evil/post-checkout"
  tags:
    - shell

Now run any job on any other branch on the same test project. You will see the code execution:

Now, run runner built off of this branch, observe code execution does not work

(Be sure to clean the build folder from step 1)

Run the same job as step 1

.gitlab-ci.yml

job:
  script:
    - grep hooksPath .git/config && exit
    - echo "[core]" >> .git/config
    - echo "    hooksPath = $CI_PROJECT_DIR/.git/evil" >> .git/config
    - mkdir -p "$CI_PROJECT_DIR/.git/evil/"
    - echo "#! /bin/sh" >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
    - echo "echo Executed evil code in post-checkout." >> "$CI_PROJECT_DIR/.git/evil/post-checkout"
    - chmod +x "$CI_PROJECT_DIR/.git/evil/post-checkout"
  tags:
    - shell

Ensure the job completes. This means the git config was tampered with.

Run another job off of a different branch on the same project. Observe the code execution does not happen.

What are the relevant issue numbers?

closes #27864 (closed)

mentioned in issue #27864 (closed)

changed the description

added [Deprecated] Category:Runner devopsverify grouprunner labels

added sectionops label

added 1 commit

• 3b2e7047 - Sanitize git folder

Compare with previous version

assigned to @jcaigitlab

added 1 commit

• c61768ba - Only remove config file

Compare with previous version

added 1 commit

• fb447706 - Only remove config file

Compare with previous version

marked this merge request as ready

requested review from @ggeorgiev_gitlab

changed milestone to %14.4

approved this merge request

This looks good to me @jcaigitlab and your reasoning at #27864 (comment 679748185) makes sense.

Should this MR close #27864 (closed)?

started a merge train

added featureenhancement security labels

added typebug label

removed this merge request from the merge train because pipeline did not succeed

@ggeorgiev_gitlab yes! it should close #27864 (closed). I'll update the description.

changed the description

started a merge train

removed this merge request from the merge train because pipeline did not succeed

@ggeorgiev_gitlab looks like there was a network hiccup https://gitlab.com/gitlab-org/gitlab-runner/-/jobs/1626792323. Could you try re-running the build?

started a merge train

removed this merge request from the merge train because pipeline did not succeed

started a merge train

merged

mentioned in commit c0cbccf2

added security-awardsnomination label

mentioned in issue #28583

added security-awardsawarded label and removed security-awardsnomination label

Congratulations @jcaigitlab, your Issue/Merge Request has been awarded! (Learn more about the Security Awards Program)

mentioned in merge request gitlab-com/www-gitlab-com!93926 (merged)

mentioned in issue #28783 (closed)

mentioned in merge request !3265 (merged)

mentioned in issue #3103