GitInfo: Fix shell restrictions for submodules

Submodules have their git directory in the master repository's directory
(../.git/modules/<name>). firejail does not allow whitelisted paths to
have ".." in them, so use realpath() to get rid of that.

`git show` still wants to be able to access the main repository
directory though, so we also need to whitelist the $repoDir itself.

Bug: T181919
Change-Id: I928df92b47733bc7fbb9c796bcfc1504d4a4598c

1 files changed, 9 insertions, 2 deletions

diff --git a/includes/GitInfo.php b/includes/GitInfo.php
index f170a025f7e0..fb75c256d6ab 100644
--- a/includes/GitInfo.php
+++ b/includes/GitInfo.php
@@ -38,6 +38,11 @@ class GitInfo {
 	protected $basedir;
 
 	/**
+	 * Location of the repository
+	 */
+	protected $repoDir;
+
+	/**
 	 * Path to JSON cache file for pre-computed git information.
 	 */
 	protected $cacheFile;
@@ -58,6 +63,7 @@ class GitInfo {
 	 * @see precomputeValues
 	 */
 	public function __construct( $repoDir, $usePrecomputed = true ) {
+		$this->repoDir = $repoDir;
 		$this->cacheFile = self::getCacheFilePath( $repoDir );
 		wfDebugLog( 'gitinfo',
 			"Computed cacheFile={$this->cacheFile} for {$repoDir}"
@@ -230,10 +236,11 @@ class GitInfo {
 					'--format=format:%ct',
 					'HEAD',
 				];
+				$gitDir = realpath( $this->basedir );
 				$result = Shell::command( $cmd )
-					->environment( [ 'GIT_DIR' => $this->basedir ] )
+					->environment( [ 'GIT_DIR' => $gitDir ] )
 					->restrict( Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK )
-					->whitelistPaths( [ $this->basedir ] )
+					->whitelistPaths( [ $gitDir, $this->repoDir ] )
 					->execute();
 
 				if ( $result->getExitCode() === 0 ) {