Suffering from GIT vulnerability CVE-2022-24765 ??

sassoftware / viya4-deployment

This project contains Ansible code that creates a baseline in an existing Kubernetes environment for use with the SAS Viya Platform, generates the manifest for an order, and then can also deploy that order into the Kubernetes environment specified.

Apache License 2.0

71 stars 64 forks source link

Suffering from GIT vulnerability CVE-2022-24765 ?? #212

Closed wweghe closed 2 years ago

wweghe commented 2 years ago

Hi, I'm running the Viya4-deployment project today (April 19th 2022) the exact same wat as I did before, Whereas my docker run command used to work, today, I have this error message :

"fatal: unsafe repository ('/viya4-deployment' is owned by someone else)\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /viya4-deployment"

When googling, I found this article, posted April 12th : https://github.blog/2022-04-12-git-security-vulnerability-announced/

Could it be that the Viya 4 deployment project is broken because of these changes ? How can I fix the problem ?

thpang commented 2 years ago

You can add a volume mount to the docker command that points to your $HOME/.git directory that has the config file addition you've listed. Having this mounted in the docker container will solve this issue. Docs and sample commands would need to be updated.

thpang commented 2 years ago

HI @wweghe

Here's what you need to add to the docker cmd

-v $HOME/.gitconfig:/viya4-deployment/.gitconfig

The file $HOME/.gitconfig would then contain the needed item [safe] item with the path to the repo location of the files. I am guessing in the docker container the entry would be : /viya4-deployment

thpang commented 2 years ago

The solution from your linked page would also work with the ENV variable:

If you can’t upgrade immediately, the most effective ways to reduce your risk are the following:

Define the GIT_CEILING_DIRECTORIES environment variable to contain the parent directory of your user profile (i.e., /Users on macOS, /home on Linux, and C:\Users on Windows). Avoid running Git on multi-user machines when your current working directory is not within a trusted repository.

wweghe commented 2 years ago

Thanks @thpang , Adding the extra volume to the .gitconfig did the trick for me !!

backbuu commented 2 years ago

I'm following https://communities.sas.com/t5/SAS-Communities-Library/What-to-do-when-Git-reports-Fatal-Unsafe-Repository/ta-p/808910

docker container run -it --env GIT_CEILING_DIRECTORIES=/viya4-deployment \ --rm \ --group-add root \ --user $(id -u):$(id -g) \ --volume /deployments:/data \ --volume /home/azureuser/viya4-deployment/ansible-vars.yaml:/config/config \ --volume /home/azureuser/viya4-iac-azure/terraform.tfstate:/config/tfstate \ --volume $HOME/.ssh/id_rsa:/config/jump_svr_private_key \ viya4-deployment --tags "baseline,viya,install"

It's work :)

sayeun commented 2 years ago

This was fixed in https://github.com/sassoftware/viya4-deployment/releases/tag/4.12.1. Closing this issue.