gitoxide icon indicating copy to clipboard operation
gitoxide copied to clipboard
verified publisher icon Byron

`overwrite_existing: false` is not documented to let +x be set

Open EliahKagan opened this issue 11 months ago • 1 comments

Current behavior 😯

In gix_worktree_state::checkout::options, destination_is_initially_empty and overwrite_existing are documented as:

https://github.com/GitoxideLabs/gitoxide/blob/8d84818240d44e1f5fe78a231b5d9bffd0283918/gix-worktree-state/src/checkout/mod.rs#L50-L58

This is technically consistent with the behavior (mentioned in the PoC and Impact sections of GHSA-fqmf-w4xh-33rh, but not part of that vulnerability and not changed in #1764) that:

  • When destination_is_initially_empty: false, executable permissions can be added to preexisting files, regardless of the value of overwrite_existing.
  • When destination_is_initially_empty: false and overwrite_existing: false, executable permissions can be added to preexisting files whose contents would also change if the same checkout were done with overwrite_existing: true. That is, a combination of content and permissions that didn't exist in the repository can easily arise, with all options set to the default, in the presence of preexisting files.

However, this seems unintuitive, so I think it should be documented for at least one of those options in the documentation comment, probably for overwrite_existing.

In case this behavior is actually going to change soon, which might imaginably occur depending on what approach is taken for #1783 and #1784, for now I'm opening this issue rather than a PR to change the documentation.

Expected behavior 🤔

See above.

Git behavior

Not directly applicable, because Git doesn't have these specific options. However, overwrite_existing: true is documented to cause a checkout similar in kind to git checkout --force. When git checkout is run without --force under a circumstance where --force would be needed to change contents, it likewise declines to change executable permissions.

Steps to reproduce 🕹

Although this issue is distinct from GHSA-fqmf-w4xh-33rh and from #1784, the procedures to reproduce either of them, with any recent version of gix-worktree-state and other crates, will also show that overwrite_existing can be false and a nonexclusive checkout still changes permissions (+x).

EliahKagan avatar Jan 20 '25 11:01 EliahKagan

Thanks a lot for reporting!

I would also expect that if overwrite_existing: false that it won't change any aspect of these pre-existing files. It is my hope that once this is revised that overwrite_existing and destination_is_initially_empty can entirely be remove to make this a special case of an initial clone/checkout. The proper reset will take its place and be taught to safely materialize a Git tree into any directory.

Byron avatar Jan 24 '25 06:01 Byron