some commands fail when the current directory's path includes spaces

[MichaelPeter-Shockoe]

Some commands, specifically at least git secret init and git secret reveal, encounter errors when the current directory's path contains any spaces. I personally avoid using spaces in directory names, but I am attempting to set up git-secret with our CI server and must work around the existing structure there.

What are the steps to reproduce this issue?

In place of the suggested sections, I will provide two full examples which I hope will show the issue clearly.

Note: both of these examples take place on a machine on which I am able to use git-secret without issue when the path does not contain a space

Example 1 - Initializing to a directory which contains a space

Here is the base case where I try to set up git-secret from scratch in a directory which already contains a space in the path

Example 2 - Calling git secret reveal from a directory which contains a space

Here, I first initialize git-secret and encrypt a file successfully in a directory with no spaces in the path so that I can get further along in the process. I then rename the directory to contain a space and try to call git secret reveal

Any other comments?

I inserted some logging and played with the code a bit, and I believe the issue is stemming from lines of the form

$($gpg_local ......)

A little research pointed me towards the use of eval for better interpretation of commands formed by concatenating strings, but I am not sure of the security implications around that command.

What versions of software are you using?

Operating system: macOS 10.13.3

Darwin -- 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64

git-secret path: /usr/local/bin/git-secret

git-secret version: 0.2.2

git version: 2.11.1

Shell type and version: zsh 5.3 (x86_64-apple-darwin17.0)

gpg version: 2.2.5

[sobolevn]

@MichaelPeter-Shockoe Thanks for the detailed report.

Are you interested in providing a fix?

[MichaelPeter-Shockoe]

No problem. Unfortunately I don't have the bandwidth to commit time towards a fix right now though

[sobolevn]

@joshrabinowitz Could you please verify that this is still an issue?

[joshrabinowitz]

@sobolevn it is still an issue.

I see these issues so far:

• when we use gawk, spaces in the full path are confusing the shell, for example here: https://github.com/sobolevn/git-secret/blob/master/src/commands/git_secret_init.sh#L39 (_gawk_inplace is here: https://github.com/sobolevn/git-secret/blob/master/src/_utils/_git_secret_tools.sh#L209 )

• There are also problems when invoking gpg as @MichaelPeter-Shockoe mentioned.

[joshrabinowitz]

And here's the first error you'll encounter if you try to create a git-secret repo using a directory with spaces

% git clone git@example.com:repo.git 'checkout repo'

% cd 'checkout repo'

% git secret init
'/full/path/checkout repo/.gitsecret/' created.
gawk: cmd. line:3: fatal: cannot open file `/full/path/checkout' for reading (No such file or directory)
cleaning up...

[joshrabinowitz]

Can anyone provide tips fixing these issues? Not a bash master here (yet)

[sobolevn]

@joshrabinowitz you have to look for expression expansion issues. It generally means that we are missing "" quotes somewhere. Or something similar.

[joshrabinowitz]

Yeah, I've tried all sorts of quoting changes so far, I could use some specific guidance

[joshrabinowitz]

https://gist.github.com/joshrabinowitz/df397ef108c3b16bd2ba331fea78e54a

[joshrabinowitz]

Relevant:

http://mywiki.wooledge.org/Quotes

http://mywiki.wooledge.org/BashFAQ/050#I_only_want_to_pass_options_if_the_runtime_data_needs_them

• "You can use the ${var:+..} parameter expansion" (to build options at runtime)

I'm pretty sure this is extra important:

"rewrite the _get_gpg_local function to put those default arguments 
or whatever into an array instead. the way it is now it'll never work."- person on IRC

https://github.com/anordal/shellharden/blob/master/how_to_do_things_safely_in_bash.md

https://google.github.io/styleguide/shell.xml

[khromov]

Also affected by this. 😢

[joshrabinowitz]

I think we should release 0.2.4 without this fix (since we don't have the fix yet).

[joshrabinowitz]

This is fixed by PR #224, which should be in the next release

[sobolevn]

@joshrabinowitz thank you for your hard work! I know this was a challenging one. Awesome, that we got this fixed!

[joshrabinowitz]

@sobolevn you're quite welcome! Thanks for all your time and work writing and supporting git-secret.

[k-le]

Hi all! I just encountered this issue again, today, 08/07/22, after running git secret init.

Here's the terminal output:

myUser repo % git secret init
git-secret: init created: '/Users/myUser/GitLab Repos/Personal/repo/.gitsecret/'
gawk: cmd. line:3: fatal: cannot open file `/Users/myUser/GitLab' for reading: No such file or directory

I don't have a fix for this but just wanted to post that it's an issue that I am encountering again.

[joshrabinowitz]

confirmed regression on current master branch. current automated testing asserts that using spaces with files works, but we don't test the case when a parent directory contains spaces.

[joshrabinowitz]

Even though I closed this ticket some time ago, I don't think this actually was ever fixed for the case of spaces in parent directories (we did fix the case of spaces in filenames and directories in the git-secret repo).

I'm not sure how to fix the underlying problem which is an issue with quoting in the gawk code

[joshrabinowitz]

This is because (at the very least) the gawk scripts used in git-secret can't handle spaces in parent directory names.

To replicate:

mkdir 'test with space'

cd 'test with space'

git init
Initialized empty Git repository in /home/user/gitsrc/test with space/.git/

git secret init 
git-secret: init created: '/home/user/gitsrc/test with space/.gitsecret/'
gawk: cmd. line:3: fatal: cannot open file `/home/user/gitsrc/test' for reading (No such file or directory)

Note how it truncates the directory name at the first space

[joshrabinowitz]

@hurricanehrndz it looks like you're the original author of the awk code that git-secret depends on and is causing issues here. Can you possibly take a look and fix?