update: add --submodule-init-config option

This option is necessary in some edge cases (including west's own test suite) to work around new git behavior discussed in: https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253 Since 'west update' uses 'git submodule update --init --recursive' to clone submodules, users may run into problems in (likely rare) situations where they are updating a submodule from a "remote" repository which is actually a file on the local host with symlinks under .git. In this case, the 'west update' will fail because the file protocol is disallowed at the 'git submodule update' step. We don't want to force users (including our own test suite...) to allow this protocol globally, since upstream git is telling us that is a security problem. But we do want to allow that protocol to be enabled on a case-by-case basis within west when the repository is known not to be malicious. This option allows us to do exactly that by running: west update --submodule-init-config protocol.file.allow=always ... Fixes: #619 Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
zephyrproject-rtos · Jan 5, 2023 · 9ba92b0 · 9ba92b0
1 parent 140424d
commit 9ba92b0
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/src/west/app/project.py b/src/west/app/project.py
@@ -795,6 +795,11 @@ def do_add_parser(self, parser_adder):
                            help='''proceed as if FILTER was appended to
                            manifest.group-filter; may be given multiple
                            times''')
+        group.add_argument('--submodule-init-config',
+                           action='append', default=[],
+                           help='''git configuration option to set when running
+                           'git submodule init' in '<option>=<value>' format;
+                           may be given more than once''')
 
         group = parser.add_argument_group('deprecated options')
         group.add_argument('-x', '--exclude-west', action='store_true',
@@ -1011,20 +1016,26 @@ def update_submodules(self, project):
         submodules = project.submodules
         submodules_update_strategy = ('--rebase' if self.args.rebase
                                       else '--checkout')
+        config_opts = []
+        for config_opt in self.args.submodule_init_config:
+            config_opts.extend(['-c', config_opt])
+
         # For the list type, update given list of submodules.
         if isinstance(submodules, list):
             for submodule in submodules:
                 if self.sync_submodules:
                     project.git(['submodule', 'sync', '--recursive',
                                  '--', submodule.path])
-                project.git(['submodule', 'update',
+                project.git(config_opts +
+                            ['submodule', 'update',
                              '--init', submodules_update_strategy,
                              '--recursive', submodule.path])
         # For the bool type, update all project submodules
         elif isinstance(submodules, bool):
             if self.sync_submodules:
                 project.git(['submodule', 'sync', '--recursive'])
-            project.git(['submodule', 'update', '--init',
+            project.git(config_opts +
+                        ['submodule', 'update', '--init',
                          submodules_update_strategy, '--recursive'])
 
     def update(self, project):