From 647c485a7670abbcc248f354956bb9372958ee93 Mon Sep 17 00:00:00 2001
From: Frantisek Hrbata <frantisek.hrbata@espressif.com>
Date: Wed, 22 Nov 2023 17:56:27 +0100
Subject: [PATCH 1/2] feat(docker): allow to add paths into git's
 safe.directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With 8959555cee7e[1] ("setup_git_directory(): add an owner check for the top..")
git added an ownership check of the git directory and refuses to
run any git commands, even parsing the config file, if the git directory
is not owned by the current user. The "fatal: detected dubious ownership in repository"
is reported.

This fixes CVE-2022-24765[2], which allows to compromise user account. On a
multi-user system or e.g. on a shared file system, one user may create a "rogue"
git repository with e.g. core.fsmonitor set to an arbitrary command. Other user
may unwillingly execute this command by running e.g. git-diff or
git-status within the "rogue" git repository, which may be in one of the parent
directories. If e.g. PS1 is set to display information about a git
repository in CWD, as suggested in Git in Bash[3], the user do not need to run
any git command to trigger this, just entering some subdirectory under
this "rogue" git repository is enough, because the git command will be
started transparently through the script used in PS1. The core.fsmonitor
can be set to arbitrary command. It's purpose is to help git to identify changed files
and speed up the scanning for changed files.

rogue
├── .git     # owned by user1
└── dir1     # owned by user2
    ├── dir2 # owned by user2
    └── .git # owned by user2

user1 sets core.fsmonitor for git repository in rogue directory
$ git config --add core.fsmonitor "bash -c 'rm -rf \$HOME'"

user2 enters dir1 and runs e.g. git diff and triggers the core.fsmonitor command.

The ownership check may cause problems when running git commands in
ESP-IDF Docker container. For example user may run the container as
root, but the mounted project may be owned by a particular user.

In this case git will refuse to execute any git command within the
"/project" directory, because it's not owned by root. To overcome this,
git allows to set safe.directories, for which the ownership check is
skipped. The security check may be completely disabled by setting
safe.directories to "*". This solution was proposed in PR 12636[4], but
it would allow make it possible to exploit this vulnerability again.

This fix allows user to specify git's safe.directory in IDF_GIT_SAFE_DIR
environmental variable, which may be set during container startup.

The IDF_GIT_SAFE_DIR has same format as PATH and multiple directories can be
specified by using a ":" separator. To entirely disable this git security check
within the container, user may set IDF_GIT_SAFE_DIR='*'. This might be
heplfull in CI.

Closes https://github.com/espressif/esp-idf/pull/12636

[1] - https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
[2] - https://nvd.nist.gov/vuln/detail/cve-2022-24765
[3] - https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash
[4] - https://github.com/espressif/esp-idf/pull/12636

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
---
 docs/en/api-guides/tools/idf-docker-image.rst |  4 ++++
 tools/docker/entrypoint.sh                    | 14 ++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/docs/en/api-guides/tools/idf-docker-image.rst b/docs/en/api-guides/tools/idf-docker-image.rst
index edb751a688..81901647bf 100644
--- a/docs/en/api-guides/tools/idf-docker-image.rst
+++ b/docs/en/api-guides/tools/idf-docker-image.rst
@@ -66,6 +66,10 @@ The above command explained:
 - ``espressif/idf``: uses Docker image ``espressif/idf`` with tag ``latest``. The ``latest`` tag is implicitly added by Docker when no tag is specified.
 - ``idf.py build``: runs this command inside the container.
 
+.. note::
+
+   When the mounted directory, ``/project``, contains a git repository owned by a different user (``UID``) than the one running the Docker container, git commands executed within ``/project`` might fail, displaying an error message ``fatal: detected dubious ownership in repository at '/project'``. To resolve this issue, you can designate the ``/project`` directory as safe by setting the IDF_GIT_SAFE_DIR environment variable during the docker container startup. For instance, you can achieve this by including ``-e IDF_GIT_SAFE_DIR='/project'`` as a parameter. Additionally, multiple directories can be specified by using a ``:`` separator. To entirely disable this git security check, ``*`` can be used.
+
 To build with a specific Docker image tag, specify it as ``espressif/idf:TAG``, for example:
 
 .. code-block:: bash
diff --git a/tools/docker/entrypoint.sh b/tools/docker/entrypoint.sh
index 7cf15f1917..513b3ba00d 100755
--- a/tools/docker/entrypoint.sh
+++ b/tools/docker/entrypoint.sh
@@ -1,6 +1,20 @@
 #!/usr/bin/env bash
 set -e
 
+# IDF_GIT_SAFE_DIR has the same format as system PATH environment variable.
+# All path specified in IDF_GIT_SAFE_DIR will be added to user's
+# global git config as safe.directory paths. For more information
+# see git-config manual page.
+if [ -n "${IDF_GIT_SAFE_DIR+x}" ]
+then
+	echo "Adding following directories into git's safe.directory"
+	echo "$IDF_GIT_SAFE_DIR" | tr ':' '\n' | while read -r dir
+	do
+		git config --global --add safe.directory "$dir"
+		echo "  $dir"
+	done
+fi
+
 . $IDF_PATH/export.sh
 
 exec "$@"

From 43bfffd85e2397920a79568f222f0af057ad2f9f Mon Sep 17 00:00:00 2001
From: mofeifei <mofeifei@espressif.com>
Date: Tue, 28 Nov 2023 17:39:06 +0800
Subject: [PATCH 2/2] docs: update cn trans idf-docker-image

---
 docs/en/api-guides/tools/idf-docker-image.rst    | 2 +-
 docs/zh_CN/api-guides/tools/idf-docker-image.rst | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/en/api-guides/tools/idf-docker-image.rst b/docs/en/api-guides/tools/idf-docker-image.rst
index 81901647bf..12a9bc7520 100644
--- a/docs/en/api-guides/tools/idf-docker-image.rst
+++ b/docs/en/api-guides/tools/idf-docker-image.rst
@@ -68,7 +68,7 @@ The above command explained:
 
 .. note::
 
-   When the mounted directory, ``/project``, contains a git repository owned by a different user (``UID``) than the one running the Docker container, git commands executed within ``/project`` might fail, displaying an error message ``fatal: detected dubious ownership in repository at '/project'``. To resolve this issue, you can designate the ``/project`` directory as safe by setting the IDF_GIT_SAFE_DIR environment variable during the docker container startup. For instance, you can achieve this by including ``-e IDF_GIT_SAFE_DIR='/project'`` as a parameter. Additionally, multiple directories can be specified by using a ``:`` separator. To entirely disable this git security check, ``*`` can be used.
+   When the mounted directory, ``/project``, contains a git repository owned by a different user (``UID``) than the one running the Docker container, git commands executed within ``/project`` might fail, displaying an error message ``fatal: detected dubious ownership in repository at '/project'``. To resolve this issue, you can designate the ``/project`` directory as safe by setting the IDF_GIT_SAFE_DIR environment variable during the Docker container startup. For instance, you can achieve this by including ``-e IDF_GIT_SAFE_DIR='/project'`` as a parameter. Additionally, multiple directories can be specified by using a ``:`` separator. To entirely disable this git security check, ``*`` can be used.
 
 To build with a specific Docker image tag, specify it as ``espressif/idf:TAG``, for example:
 
diff --git a/docs/zh_CN/api-guides/tools/idf-docker-image.rst b/docs/zh_CN/api-guides/tools/idf-docker-image.rst
index c87bb7e9b2..c15aab2e65 100644
--- a/docs/zh_CN/api-guides/tools/idf-docker-image.rst
+++ b/docs/zh_CN/api-guides/tools/idf-docker-image.rst
@@ -66,6 +66,10 @@ IDF Docker 镜像 (``espressif/idf``) 为使用特定版本的 ESP-IDF 自动化
 - ``espressif/idf``：使用标签为 ``latest`` 的 Docker 镜像 ``espressif/idf``。未指定标签时，Docker 会隐式添加 ``latest`` 标签。
 - ``idf.py build``：在容器内运行此命令。
 
+.. note::
+
+   如果挂载目录 ``/project`` 包含的 git 仓库的用户 (``UID``) 不同于运行 Docker 容器的用户，在 ``/project`` 中执行 git 命令可能会失败，并显示错误信息 ``fatal: detected dubious ownership in repository at '/project'``。如需解决此问题，可以在启动 Docker 容器时设置 IDF_GIT_SAFE_DIR 环境变量，将 ``/project`` 目录指定为安全目录。例如，可以将 ``-e IDF_GIT_SAFE_DIR='/project'`` 作为参数包含，还可以使用分隔符 ``:`` 指定多个目录，或使用 ``*`` 完全禁用此项 git 安全检查。
+
 要以特定 Docker 镜像标签进行构建，请将其指定为 ``espressif/idf:TAG``，示例如下：
 
 .. code-block:: bash