go-git icon indicating copy to clipboard operation
go-git copied to clipboard

Published 20 hours ago verified publisher icon src-d

remove git binary dependency from the file:// protocol

Open dustin-decker opened this issue 6 years ago • 5 comments

My application running from a scratch Docker image, which means the only executable in it is the statically compiled application binary.

When running r, err := git.Init(memory.NewStorage(), nil) this error is returned:

exec: "git": executable file not found in $PATH

This confused me for a bit because the project claims to be 'pure Go'.

After inspecting a bit more, I think it might have been introduced with https://github.com/src-d/go-git/commit/c128f5d680f59fd125cafd90f10e39eae5f3a135 but should not be a hard dependency and cause an error.

dustin-decker avatar May 31 '18 00:05 dustin-decker

@dustin-decker Thank you for taking the time to report this. It is definitely a bug.

There is one case where go-git uses an external git binary to push/pull from local repositories with file:// URLs, it is not expected that it requires a git binary in other cases.

smola avatar Jun 01 '18 08:06 smola

Interesting, thanks for the info and the quick response. What would it take to replace that with a pure go implementation?

There have been a number of git RCE vulns usually related to config or hooks and triggered during some clone/pull/recursive operation:

https://nvd.nist.gov/vuln/detail/CVE-2018-11235 https://www.cvedetails.com/cve/CVE-2018-1000021/ https://www.cvedetails.com/cve/CVE-2017-1000117/ https://www.cvedetails.com/cve/CVE-2016-2324/ https://www.cvedetails.com/cve/CVE-2016-2315/ Some others prior to that, too.

It's be nice to be able to avoid most of that surface area.

dustin-decker avatar Jun 01 '18 13:06 dustin-decker

@dustin-decker We have no hooks, and we have limited support config (e.g. no aliases), so a lot of that just does not apply to go-git.

It is currently possible to do a somewhat equivalent operation to push/pull in pure Go. We do it in borges: https://github.com/src-d/borges/blob/dbb671496e79be1d82adedd68e2f68930c3d7082/git.go#L400

As of today, it is considered a pretty advanced use case, but it would be possible to expose this in a more user-friendly way.

smola avatar Jun 01 '18 14:06 smola

I just had this in a bug report and I was thoroughly confused!

I work on a package manager/dependency tool that clones remote repositories to a cache directory, then clones the cached copy to the project root dependencies folder (equivalent of vendor in Go) for various technical reasons.

It would be great to regain dependency-less status again so consider this a use-case for that functionality!

Southclaws avatar Jul 03 '18 19:07 Southclaws

Is there any potential for this dependency to be removed? This was a surprise to me as well - I expected go-git to be pure Golang and not need the git binary at all.

I know this is likely a hard case, but it's tough when go-git is advertised as being pure Golang, and the docs not mentioning this exception. This hurts the premise of replacing git completely significantly - at the minimum, it should be documented for now.

bufdev avatar Jan 05 '20 17:01 bufdev