-
Notifications
You must be signed in to change notification settings - Fork 904
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add note to submodules kata about security workaround #366
base: master
Are you sure you want to change the base?
Conversation
As mentioned in #347, there is a new restriction in Git since 2.38.1 which means that we can only run this kata by temporarily loosening the security restrictions. Until we find a better solution, this at least adds a note with instructions.
WalkthroughThe recent update addresses a security issue by disabling the use of the file protocol for Changes
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 2
Out of diff range and nitpick comments (1)
submodules/README.md (1)
Line range hint
24-24
: Capitalize "GitHub" to adhere to the official naming convention.- e.g. github.com. + e.g. GitHub.com.
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Out of diff range and nitpick comments (4)
submodules/README.md (4)
Line range hint
24-24
: Capitalize "GitHub" to refer to the platform properly.- e.g. github.com. + e.g. GitHub.com.
Line range hint
34-34
: Capitalize "ID" when referring to identification.- Where can you find the commit id shown in the `+Subproject commit ...` line? + Where can you find the commit ID shown in the `+Subproject commit ...` line?
Line range hint
50-50
: Add an article before "product".- We will make a clone of product to illustrate how submodules in a clone must be initialized. + We will make a clone of the product to illustrate how submodules in a clone must be initialized.
Line range hint
52-52
: Remove the repeated word "product".- Run `git clone product product_alpha`. + Run `git clone product_alpha`.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Files selected for processing (1)
- submodules/README.md (1 hunks)
Additional comments not posted (1)
submodules/README.md (1)
18-18
: Approve the reformatting of the Windows setup instruction.The reformatted note enhances clarity and helps guide Windows users to execute the correct command, avoiding potential issues with the setup script.
> NOTE: | ||
> Unfortunately for us, 2.38.1 introduces a change (due to CVE-2022-39253) that disables git submodule add using the file protocol. | ||
> as the setup script for this exercise relies on cloning a local repository, it will only work if you specifically allow this before running the script. | ||
> `git config --global protocol.file.allow always` | ||
> | ||
> If you want to remove this "opening" afterward, you should wait until you are done with the whole exercise, and then run: | ||
> `git config --global --unset protocol.file.allow` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approve the addition of the Git security workaround note.
The note clearly explains the necessary steps to adjust Git configuration due to the new security restriction. However, consider adding a warning about the potential security implications of enabling the protocol.file.allow
setting globally.
Consider adding the following warning for clarity and safety:
+> WARNING: Enabling `protocol.file.allow` globally can expose your system to security risks. Only enable this setting when necessary and ensure to revert it as described.
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
> NOTE: | |
> Unfortunately for us, 2.38.1 introduces a change (due to CVE-2022-39253) that disables git submodule add using the file protocol. | |
> as the setup script for this exercise relies on cloning a local repository, it will only work if you specifically allow this before running the script. | |
> `git config --global protocol.file.allow always` | |
> | |
> If you want to remove this "opening" afterward, you should wait until you are done with the whole exercise, and then run: | |
> `git config --global --unset protocol.file.allow` | |
> NOTE: | |
> Unfortunately for us, 2.38.1 introduces a change (due to CVE-2022-39253) that disables git submodule add using the file protocol. | |
> as the setup script for this exercise relies on cloning a local repository, it will only work if you specifically allow this before running the script. | |
> `git config --global protocol.file.allow always` | |
> | |
+> WARNING: Enabling `protocol.file.allow` globally can expose your system to security risks. Only enable this setting when necessary and ensure to revert it as described. | |
> | |
> If you want to remove this "opening" afterward, you should wait until you are done with the whole exercise, and then run: | |
> `git config --global --unset protocol.file.allow` |
As mentioned in #347, there is a new restriction in Git since 2.38.1 which means that we can only run this kata by temporarily loosening the security restrictions.
Until we find a better solution, this at least adds a note with instructions.
Summary by CodeRabbit