git-secret
git-secret copied to clipboard
sobolevn
some commands fail when the current directory's path includes spaces
Some commands, specifically at least git secret init and git secret reveal, encounter errors when the current directory's path contains any spaces. I personally avoid using spaces in directory names, but I am attempting to set up git-secret with our CI server and must work around the existing structure there.
What are the steps to reproduce this issue?
In place of the suggested sections, I will provide two full examples which I hope will show the issue clearly.
Note: both of these examples take place on a machine on which I am able to use git-secret without issue when the path does not contain a space
Example 1 - Initializing to a directory which contains a space
Here is the base case where I try to set up git-secret from scratch in a directory which already contains a space in the path
Example 2 - Calling git secret reveal from a directory which contains a space
Here, I first initialize git-secret and encrypt a file successfully in a directory with no spaces in the path so that I can get further along in the process. I then rename the directory to contain a space and try to call git secret reveal
Any other comments?
I inserted some logging and played with the code a bit, and I believe the issue is stemming from lines of the form
$($gpg_local ......)
A little research pointed me towards the use of eval for better interpretation of commands formed by concatenating strings, but I am not sure of the security implications around that command.
What versions of software are you using?
Operating system: macOS 10.13.3
Darwin -- 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64
git-secret path: /usr/local/bin/git-secret
git-secret version: 0.2.2
git version: 2.11.1
Shell type and version: zsh 5.3 (x86_64-apple-darwin17.0)
gpg version: 2.2.5
@MichaelPeter-Shockoe Thanks for the detailed report.
Are you interested in providing a fix?
No problem. Unfortunately I don't have the bandwidth to commit time towards a fix right now though
@sobolevn it is still an issue.
I see these issues so far:
-
when we use gawk, spaces in the full path are confusing the shell, for example here: https://github.com/sobolevn/git-secret/blob/master/src/commands/git_secret_init.sh#L39 (
_gawk_inplaceis here: https://github.com/sobolevn/git-secret/blob/master/src/_utils/_git_secret_tools.sh#L209 ) -
There are also problems when invoking gpg as @MichaelPeter-Shockoe mentioned.
And here's the first error you'll encounter if you try to create a git-secret repo using a directory with spaces
% git clone [email protected]:repo.git 'checkout repo'
% cd 'checkout repo'
% git secret init
'/full/path/checkout repo/.gitsecret/' created.
gawk: cmd. line:3: fatal: cannot open file `/full/path/checkout' for reading (No such file or directory)
cleaning up...
Can anyone provide tips fixing these issues? Not a bash master here (yet)
@joshrabinowitz you have to look for expression expansion issues. It generally means that we are missing "" quotes somewhere. Or something similar.
Yeah, I've tried all sorts of quoting changes so far, I could use some specific guidance
https://gist.github.com/joshrabinowitz/df397ef108c3b16bd2ba331fea78e54a
Relevant:
http://mywiki.wooledge.org/Quotes
http://mywiki.wooledge.org/BashFAQ/050#I_only_want_to_pass_options_if_the_runtime_data_needs_them
- "You can use the ${var:+..} parameter expansion" (to build options at runtime)
I'm pretty sure this is extra important:
"rewrite the _get_gpg_local function to put those default arguments
or whatever into an array instead. the way it is now it'll never work."- person on IRC
https://github.com/anordal/shellharden/blob/master/how_to_do_things_safely_in_bash.md
https://google.github.io/styleguide/shell.xml
I think we should release 0.2.4 without this fix (since we don't have the fix yet).
@joshrabinowitz thank you for your hard work! I know this was a challenging one. Awesome, that we got this fixed!
@sobolevn you're quite welcome! Thanks for all your time and work writing and supporting git-secret.
Hi all! I just encountered this issue again, today, 08/07/22, after running git secret init.
Here's the terminal output:
myUser repo % git secret init
git-secret: init created: '/Users/myUser/GitLab Repos/Personal/repo/.gitsecret/'
gawk: cmd. line:3: fatal: cannot open file `/Users/myUser/GitLab' for reading: No such file or directory
I don't have a fix for this but just wanted to post that it's an issue that I am encountering again.
confirmed regression on current master branch.
current automated testing asserts that using spaces with files works,
but we don't test the case when a parent directory contains spaces.
Even though I closed this ticket some time ago, I don't think this actually was ever fixed for the case of spaces in parent directories (we did fix the case of spaces in filenames and directories in the git-secret repo).
I'm not sure how to fix the underlying problem which is an issue with quoting in the gawk code
This is because (at the very least) the gawk scripts used in git-secret can't handle spaces in parent directory names.
To replicate:
mkdir 'test with space'
cd 'test with space'
git init
Initialized empty Git repository in /home/user/gitsrc/test with space/.git/
git secret init
git-secret: init created: '/home/user/gitsrc/test with space/.gitsecret/'
gawk: cmd. line:3: fatal: cannot open file `/home/user/gitsrc/test' for reading (No such file or directory)
Note how it truncates the directory name at the first space
@hurricanehrndz it looks like you're the original author of the awk code that git-secret depends on and is causing issues here. Can you possibly take a look and fix?