Add plugins folder to the safe.directory config in git
Description
Several warnings have been spotted in Discourse instances with the following message:
Error running git command: ["git", "rev-parse", "HEAD"] in /var/www/discourse/plugins/msgraph-poll-discourse-plugin : Discourse::Utils::CommandError : /var/www/discourse/lib/discourse.rb:138:in `exec': fatal: detected dubious ownership in repository at '/var/www/discourse/plugins/msgraph-poll-discourse-plugin'
To add an exception for this directory, call:
git config --global --add safe.directory /var/www/discourse/plugins/msgraph-poll-discourse-plugin
The error message fatal: detected dubious ownership
in Git indicates that the current user does not own the Git repository folder. This can pose a security risk because Git will execute certain files within the .git folder, and if the folder is owned by a different user, there is a possibility of malicious code being executed. This prevents the Discourse UI to pick what was the latest commit by executing a git rev-parse HEAD
per plugin, not showing the hash in the UI, as follows
It is not a blocker, but a warning.
A way to solve this is bypassing the ownership check. This involves adding the repository folder to the safe.directory
global variable in Git config. This allows Git to trust the repository and execute the .git folder scripts even if it is owned by another user.
This can be solved with the command mentioned above, however we need a more automated way of setting this config for every single plugin added.
Posible solutions
In git version <= 2.30.2
(at the time, the running version), there is no way to apply the safe.directory configuration recursively, therefore we need something like:
find /var/www/discourse -name '.git' -type d -exec bash -c 'git config --global --add safe.directory ${0%/.git}' {} \;
In git version >= 2.36
, it is added the *
wildcard to achieve this (see https://github.blog/2022-04-18-highlights-from-git-2-36/ > look for safe.directory)