From patchwork Sat May 18 10:32:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667558 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE43B199B8 for ; Sat, 18 May 2024 10:32:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028374; cv=none; b=tiUYoZbgH+vlbmK2UqTMsYI48nst6Wu/MfM8XjTeDMjb4N33r2xFehXuI/QrAsCQZmzUACCxUEpuMaagvo49aAZQpaHlEdl7P9Vg5FO8yfEJY1YuqCMQCAQOEQAX4eLHlAUEZAFNsUbGrDa7fJhHkHqSxGou3MxggRvEVtPc0kQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028374; c=relaxed/simple; bh=eomBttJUDugeAh4/E/RHJ5Kl046QR71tdtyo18mV/ck=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=J7j6N4NQUu5cJeP238f25UapsW6EZVPpl2W5Cgg3I6xKdYFId7VOxPwsLyykJZ/AhWbSI8qGM0bb4HVkwnrG89m914UwhjDaae+4QsAWhtzs+EijWGxbk/iFpTEjvtXiv5i3X51yUlGdoM6VlvY3fDMrv9zVc/69kCVBvwAwMkg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=h1adBIfN; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="h1adBIfN" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-420180b5922so11621865e9.2 for ; Sat, 18 May 2024 03:32:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028370; x=1716633170; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=Pa4ywTRMbTP0sOgRCz5rqk9gwHUD4hcDu9QhBPTQQ6M=; b=h1adBIfNKVEy9pa3GIG7syclZJmhCJHPxFvgN1K9DQ50oQcr4qVcN9UarDBiaYEXMs KhJnOs8W6ey7euJPWtW3C4Ix2LXynYoL42Nk8LxpDPV0f73SEnjl9ND1xxrNX1ftKIj1 oDUBz/ZJjPXiWIYsj5HIg3qoiGh7duLkjxExoq8jPmmOf3Dz+l1kWKE3z+TDQimhxIpv 1ZoKyC8TQHMbAPmT1UerGcHEgf17MUJtpFTUz4bMpXmLswJXqptXy/ks+YHK/+GsWT2u BV87M3Vndp6Y+10+Qb5DFsR9uaDExqUqIXpfCkzQp1IenpcWWFh1ahgaNIB9zhu2LIZy VSEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028370; x=1716633170; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Pa4ywTRMbTP0sOgRCz5rqk9gwHUD4hcDu9QhBPTQQ6M=; b=LMkx0bKghk5XhhMJJ2f+A+ikUZF6i/YHbg496nTYciPG0/qwfbEB+8zoS/MoUJg20F 3EWVJs/IqHLvyjQvnmhfYAgdaSmXtHIBgViGiT0/j4ntlyjGFVOrm/8OZl1jyEADi6b7 0V2aeKHBE1Dwbj2tiBtAd4QKqGCaZeKTm9f58CyHpCfCiaeTukBgA4Xd1QJ114BgTAJM 8OMSzcZRo4ktXZQyw4Wnz9zsiDTkoGUNzUgryjCmpzeUo/zLImsk4nL9p8ZmrT7fNNYl jjWYt/0HRSht4cuPJy3sgjFPFW5aEVTwh6edGQolHaAQbwzUOFzLz/BXbWX2Mh+fFK4f KTcA== X-Gm-Message-State: AOJu0Yy3iD8nnAX/B0BfPCEt4nkaIXDGE9e79ff2mQdF5myWkJhuwC7O 86QEqq/rlYemE832duXLVvoj1IwWf5HV0QkhTYqJWATm4n5W9gD1xYSjXA== X-Google-Smtp-Source: AGHT+IEIw5POsorhn6r3h0edgRUPqSl1l2RJaCCZgj62XjlxiCsiWoE9ZvBMVUKY1PBGl6mylTntqg== X-Received: by 2002:a05:600c:570a:b0:41c:b44:f917 with SMTP id 5b1f17b1804b1-41feaa443f6mr217454965e9.22.1716028370407; Sat, 18 May 2024 03:32:50 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3502bbbc3e4sm23859920f8f.108.2024.05.18.03.32.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:50 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Sat, 18 May 2024 10:32:39 +0000 Subject: [PATCH v2 1/8] hook: plug a new memory leak Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin In 8db1e8743c0 (clone: prevent hooks from running during a clone, 2024-03-28), I introduced an inadvertent memory leak that was unfortunately not caught before v2.45.1 was released. Here is a fix. Signed-off-by: Johannes Schindelin --- hook.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hook.c b/hook.c index 632b537b993..fc974cee1d8 100644 --- a/hook.c +++ b/hook.c @@ -18,8 +18,10 @@ static int identical_to_template_hook(const char *name, const char *path) found_template_hook = access(template_path.buf, X_OK) >= 0; } #endif - if (!found_template_hook) + if (!found_template_hook) { + strbuf_release(&template_path); return 0; + } ret = do_files_match(template_path.buf, path); From patchwork Sat May 18 10:32:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667559 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F16621BC3C for ; Sat, 18 May 2024 10:32:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028375; cv=none; b=HGEGlQhhOPkm9VaPoK6FVpr9YciHmkqKJ6yPEyaTiYd8GWG6+gK1axlgoQ172rZMLUSYD61PISAEnEKK92U+/mfqnX0crVLgdRRrWIbu7TsUitIgtTX7goajLr02KSflQSQQch+WIVBNypTcHtWkx5GxoG7C1PKgw8U8dBbWuoc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028375; c=relaxed/simple; bh=g3mcr9oNJA2YWVKdqdh6JD9CfQ682VkR8dwEEitGi70=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=UGReGgCFppUPLCjoiBtc0U1gdA49ePAT5GKKuIzvKjq+uCwAUeGHvvt8Dt+QIULDSLY1IwkodjfhG2sTP4+8IgX+vk5DhIzfU6o+I/i7jV/3jqZ8aeQ2dchYsXhYJ7Nw5uai4FjDwNPYIRvqBEKjHuYKZLmZqq/Lp8LpfeS6D9Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MmzsjJ0C; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MmzsjJ0C" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4202ca70270so11596735e9.3 for ; Sat, 18 May 2024 03:32:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028372; x=1716633172; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=p3TcY6SNGMN9D4Tqo4JhzJB1VLG5CDwDx+Tm37TVHyE=; b=MmzsjJ0CTI7n0/bECOWE86dT1wRyyW++KQdAlfc236W+67+zEYHcETqeHeJ7Vf9yeL fe/XDFOR8osnCxytoo5i2mr5EMe4mrdOGvUi80PGbS025BJC8oOxFYlRG69ygdlJCvYD MJau6tvDI3Ds6mZA2+DbuZgBzlO8OHUA9p2CxQsw5dLqKjyxwVVkPJdcv7uEk95ApHU8 Vhj2ZoX1UIG4EhfX4ZyUdGhg6BMqthv2k9ckuE6odVFgT3RDre3pduaPJoaZ1ySRTVYg +ZMJwZ1gZL3F+4smghE7V3J5Km9c+WdNZ5r/6inQLca4dsbHQYde/5E+qL/k7h3hxCwb 6B2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028372; x=1716633172; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p3TcY6SNGMN9D4Tqo4JhzJB1VLG5CDwDx+Tm37TVHyE=; b=MPPWxU0nE9Kadzj4DWsZxiSp/naYcvt0q+bSKUyKC9d4HOJnITDu4T0pXhgHUq04Om JXQOhTU0FakpUPQBgkvUcA/abGoD2PhdlG2h2Q54yuSkUA/JfXy8LTEN/IcSttXLJ3aB gwnXlcj71z68lZz7iHoOO+l0ER1+WU9d9Y39COtjBc0camT/XdsYelJLpz4pYLJ+PnPN Nu8FDLu2Ad5z950NCy64W5LiizvBX4BiivEWcb5QYqLxK1Pq5zs3PtujHdgzS/2eeN2Q 0adOjhLDGAIzr0CYcvolg4Mf4KMZFr8I+TX73IFdvc3BwqoTdNX+Muro5/Jt2GIbKsil a8jw== X-Gm-Message-State: AOJu0YzyLNEyg39iA8zhiRauLGw+a/2qNjReL3hb1Rb+F79PDgZ2MAe+ KaEdlP3Sd1TquKLQzrXfKNctmqE+acfjl1volPZXS7ZXz/2r5AiRxZPB6w== X-Google-Smtp-Source: AGHT+IHoFpQ2s4SdysuB5mUUCTz7cf+oWeqk4u5bSDORpCJ1OzDklUT8Qt9Rt312IVz0J90dQaCiGQ== X-Received: by 2002:a05:600c:5116:b0:41b:fa34:9e48 with SMTP id 5b1f17b1804b1-41feac55e26mr233102165e9.30.1716028372056; Sat, 18 May 2024 03:32:52 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4200f86ab7csm262924365e9.19.2024.05.18.03.32.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:50 -0700 (PDT) Message-Id: <961dfc35f426388d660cca4e92f43e169819886a.1716028366.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Sat, 18 May 2024 10:32:40 +0000 Subject: [PATCH v2 2/8] init: use the correct path of the templates directory again Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin In df93e407f06 (init: refactor the template directory discovery into its own function, 2024-03-29), I refactored the way the templates directory is discovered. The refactoring was faithful, but missed a reference in the `Makefile` where the `DEFAULT_GIT_TEMPLATE_DIR` constant is defined. As a consequence, Git v2.45.1 and friends will always use the hard-coded path `/usr/share/git-core/templates`. Let's fix that by defining the `DEFAULT_GIT_TEMPLATE_DIR` when building `setup.o`, where that constant is actually used. Signed-off-by: Johannes Schindelin --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 093829ae283..4b1502ba2c6 100644 --- a/Makefile +++ b/Makefile @@ -2751,7 +2751,7 @@ exec-cmd.sp exec-cmd.s exec-cmd.o: EXTRA_CPPFLAGS = \ '-DFALLBACK_RUNTIME_PREFIX="$(prefix_SQ)"' builtin/init-db.sp builtin/init-db.s builtin/init-db.o: GIT-PREFIX -builtin/init-db.sp builtin/init-db.s builtin/init-db.o: EXTRA_CPPFLAGS = \ +setup.sp setup.s setup.o: EXTRA_CPPFLAGS = \ -DDEFAULT_GIT_TEMPLATE_DIR='"$(template_dir_SQ)"' config.sp config.s config.o: GIT-PREFIX From patchwork Sat May 18 10:32:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667560 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6018528376 for ; Sat, 18 May 2024 10:32:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028377; cv=none; b=QFmmHX2df0u0YQvtMUvwDqOXgnr9lZnGBuQt9FjE3A/jWoUqwcV5n91X/rYz2UIy6nzcLws1OFo+2No0GA0cZrJx6zpikr8aJXEQ1e0gVtcHA2KFfviITUgy5Yv9CvplfcfZXBVYWAh9UYidpf6nXuf7eymEB1JQNj571RHXEAE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028377; c=relaxed/simple; bh=NACUjCKOyFbBT9Jcvg+gdcvRvWOxx7KfWVnfiD/FlN4=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=ER8mSNlkC8rEGEsn1TMswQkzgVpMYiWxN+Dtx8yo/r59QdszVu+y2DNWTUyT4CONrSOPo9EcA5+WNrhakafn7Qw1F7fzlxmKmeXIl8J8PPO7PmHLHfXS2JmH0qRerbTfye1P49Nx3RAXjV0PBxecVljBVWLmMKw4PVAygD1W5xw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hRakvG9M; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hRakvG9M" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-420180b59b7so7826915e9.0 for ; Sat, 18 May 2024 03:32:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028373; x=1716633173; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=i6d3NikhGkK867apaAyTM/p8Uvw8q8n1MJ0T9cVpYng=; b=hRakvG9MPwS4oPvxBXP/mE6chfK48u6/ZukeW8ruQSB+/4ZYJLFSk/VphK2GCJOhZJ 9Rkz398bAXIXvwj1zDL1i6V8T8Z6HKYSb0UGyRzLaeG8U15ZI6U3XsY8vfKcMLfCFkrf nsWrAiOvcoWmRfOS1KW0seCSVPpfBwpdc0KIQze+kXI3KFokhXGxV3olAoPk7hYDwOVz NN9bEC7Cr8d9IX6IMAigPJ2SbOwBxD56lRmkv5vmHLVBf83PAYzQitZNMlAmOvWzAaAv 040BBaAMB5CSBONZnHMujlc83nvOfO+sYehoij1suBX1qKF53AumurjFAf8CatDRHgyJ +D+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028373; x=1716633173; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i6d3NikhGkK867apaAyTM/p8Uvw8q8n1MJ0T9cVpYng=; b=GgrBNl23oONOvHnLcy7Bf6pxuanL5PYcffEXzhA+3wSdsHWy5/weNsqGxYFxyPsgVk OJU12GyFPQ85silZ0WYM/PoyHQ48JfqRh/RYdDTjHrWegMvph7urbKVkStnv2AMCyBqq ORh30cnwUAKMNJggQOF7Beq4ucYblv8pMKpvVCr7fMJV+258lkj1sbJUAxn3Z09bMCOa OQYDHJLWfBOtAWIPmHsRadSPnp3xcNqYn7sEg4aOoH5v/RWg8uSer1CVgu1lafSZBvvR ECl3eNE6C/zoc4DT/t2j/0zEEYtxOlqROfYyzJry97KGMnEyyNXTFjqQbj6CeqQPx7NQ z6PA== X-Gm-Message-State: AOJu0Yy3bk7ypciVBlY0mXdntqi+LcAkZLUlCCtCzQemC/IwEtYDJU1z ctADW0atc5kLNTFcmV7zzrPJZ2gLcBzNMZxvGoI9wt6Dcw/2oWA+ALwhzA== X-Google-Smtp-Source: AGHT+IE50Dt3PT4RUHurVORMzJ4OHeMBaIaz+b06LYaRfkMf2DVTpHn/F/9/gQAemiNP7Ojfmonpog== X-Received: by 2002:a05:600c:1d83:b0:420:1157:95b4 with SMTP id 5b1f17b1804b1-4201157977dmr167852985e9.12.1716028373012; Sat, 18 May 2024 03:32:53 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4202de3a79bsm77189255e9.6.2024.05.18.03.32.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:52 -0700 (PDT) Message-Id: <57db89a14977bdff01f8f82cb4d6f85cc49d4b55.1716028366.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Sat, 18 May 2024 10:32:41 +0000 Subject: [PATCH v2 3/8] Revert "core.hooksPath: add some protection while cloning" Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin This defense-in-depth was intended to protect the clone operation against future escalations where bugs in `git clone` would allow attackers to write arbitrary files in the `.git/` directory would allow for Remote Code Execution attacks via maliciously-placed hooks. However, it turns out that the `core.hooksPath` protection has unintentional side effects so severe that they do not justify the benefit of the protections. For example, it has been reported in https://lore.kernel.org/git/FAFA34CB-9732-4A0A-87FB-BDB272E6AEE8@alchemists.io/ that the following invocation, which is intended to make `git clone` safer, is itself broken by that protective measure: git clone --config core.hooksPath=/dev/null Since it turns out that the benefit does not justify the cost, let's revert 20f3588efc6 (core.hooksPath: add some protection while cloning, 2024-03-30). Signed-off-by: Johannes Schindelin --- config.c | 13 +------------ t/t1800-hook.sh | 15 --------------- 2 files changed, 1 insertion(+), 27 deletions(-) diff --git a/config.c b/config.c index 85b37f2ee09..8c1c4071f0d 100644 --- a/config.c +++ b/config.c @@ -1525,19 +1525,8 @@ static int git_default_core_config(const char *var, const char *value, void *cb) if (!strcmp(var, "core.attributesfile")) return git_config_pathname(&git_attributes_file, var, value); - if (!strcmp(var, "core.hookspath")) { - if (current_config_scope() == CONFIG_SCOPE_LOCAL && - git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0)) - die(_("active `core.hooksPath` found in the local " - "repository config:\n\t%s\nFor security " - "reasons, this is disallowed by default.\nIf " - "this is intentional and the hook should " - "actually be run, please\nrun the command " - "again with " - "`GIT_CLONE_PROTECTION_ACTIVE=false`"), - value); + if (!strcmp(var, "core.hookspath")) return git_config_pathname(&git_hooks_path, var, value); - } if (!strcmp(var, "core.bare")) { is_bare_repository_cfg = git_config_bool(var, value); diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh index 7ee12e6f48a..2ef3579fa7c 100755 --- a/t/t1800-hook.sh +++ b/t/t1800-hook.sh @@ -177,19 +177,4 @@ test_expect_success 'git hook run a hook with a bad shebang' ' test_cmp expect actual ' -test_expect_success 'clone protections' ' - test_config core.hooksPath "$(pwd)/my-hooks" && - mkdir -p my-hooks && - write_script my-hooks/test-hook <<-\EOF && - echo Hook ran $1 - EOF - - git hook run test-hook 2>err && - grep "Hook ran" err && - test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \ - git hook run test-hook 2>err && - grep "active .core.hooksPath" err && - ! grep "Hook ran" err -' - test_done From patchwork Sat May 18 10:32:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667561 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6DB82E64C for ; Sat, 18 May 2024 10:32:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028378; cv=none; b=Up11HhLZ5wo1OZ5LE7s5MJMBTABjoipweQHHqV3Ts2ncac3i7f1RiyDymPJ7vDl39rmHsnu3zHkk8QZOqRty/XAGFMPCv1mXdmV0R5YIU8PpUqrSj0hWF20chbU/88JZg2RjrSOgkPRHCitJhgAyewZwhcpUw00h2wTuu8KcAJQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028378; c=relaxed/simple; bh=9GRY60ElemT9DHs8npnd8hLlNR8z3x1QzrFwTtQ6KpE=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=LufRgA7g7gQJ2NA6+i0W2yXPFwzXYHF3OlNvodTX1ykY9eUNEFu4Sa8pHw7/mcGd6nN1UlK+WJaZJBxc9rtP9Vsyrrm0CLnYIoGxwV6tuYX0tppaNCodAipuSXHNjp6eqdGrGZB7QwQgn1Lob/t7XvEl6OQUi3jUsxhgF1NN04s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NOR6+B85; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NOR6+B85" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-34d8d11a523so555500f8f.2 for ; Sat, 18 May 2024 03:32:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028374; x=1716633174; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=8Hh0zgo3PA9OZD3gGP/KbTGUs6ILXCU7En0Epx60GCc=; b=NOR6+B85dwDX3GmPlIrg3IypK6PoJONNmrGQFXWn2IefNEKKq0JqDKM7AQDtnDpkHm bnydIF9FHGM2Tp8VamD4jKIHhV8VbN17yeXIOUGMboNAyuM5UR+lHLIG3NodRCQoT9M9 dCluxmr8hit5582dpuDtx3fsUR+RHKMXf5g4AWY2YPG56NxmcgHrqdlDjLfAo1SsYM7Y Mmo9i5IDXu0rnLIUsRJw9/vnIcDlbgpKLvb9GR63g3qjR7scNEmr+HXqMjWPBsAb7QIG hCs3EGkklvKRa9+5sYovXkUVZRZm8WhIYrF0J9CaWiJVUK5FRBR5Uo5Bs+xNUxZvyDBA yU+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028374; x=1716633174; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8Hh0zgo3PA9OZD3gGP/KbTGUs6ILXCU7En0Epx60GCc=; b=vxnmEfSVYhfH9YFWZAeS7MaWlrwRFV+ZhGeGhIAIu1+7qIYY9LAcdgWZkEMkTTMsFq UVuQ9k1daf5cWZN37ulyYSjZmcoYHNoDGm/Ur2mYOnPcKBhMvsI8s13abzGMN2PL3S5X 2Dt4qXIsP12fUXTfBaPwcAALYfrJOIZADyxqp3WKb9ZmwhQkA2+V3SHbVjipnc3zEODH Q0ry0Q3S80+8uh4apEBlyE8n8BZc5rgmMJfBOVr9eOYfiy1+Jkp/YirC4h6Xw8ODZAnh IYiMNJQstVXitWbZPBz05l5/B/0iuddUBw44wZugNOq1sHlXtrz/V7rwP8dzfxck7OKt 1KfQ== X-Gm-Message-State: AOJu0YxZf5OnB7ci57v8eNayIQAw/n8HC0haSVcYsB1Do4FdaBWexXPZ xJENweCK8VE5e+m5X50FWB/FeZaW5BsSXiOzYcPjpNZlBBA4b/DAZioZyg== X-Google-Smtp-Source: AGHT+IGmdunucJdvg7kh3XAzFBbeH0YuPXCPMCcq63rzEt2DejhVZAu+4YeZcI01waUa5WiFhQftcw== X-Received: by 2002:a05:6000:551:b0:34d:ae55:8fb9 with SMTP id ffacd0b85a97d-3504aa6339bmr16909461f8f.66.1716028374389; Sat, 18 May 2024 03:32:54 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3502b79bdbcsm23732153f8f.23.2024.05.18.03.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:53 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Sat, 18 May 2024 10:32:42 +0000 Subject: [PATCH v2 4/8] tests: verify that `clone -c core.hooksPath=/dev/null` works again Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin As part of the protections added in Git v2.45.1 and friends, repository-local `core.hooksPath` settings are no longer allowed, as a defense-in-depth mechanism to prevent future Git vulnerabilities to raise to critical level if those vulnerabilities inadvertently allow the repository-local config to be written. What the added protection did not anticipate is that such a repository-local `core.hooksPath` can not only be used to point to maliciously-placed scripts in the current worktree, but also to _prevent_ hooks from being called altogether. We just reverted the `core.hooksPath` protections, based on the Git maintainer's recommendation in https://lore.kernel.org/git/xmqq4jaxvm8z.fsf@gitster.g/ to address this concern as well as related ones. Let's make sure that we won't regress while trying to protect the clone operation further. Reported-by: Brooke Kuhlmann Signed-off-by: Johannes Schindelin --- t/t1350-config-hooks-path.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/t/t1350-config-hooks-path.sh b/t/t1350-config-hooks-path.sh index f6dc83e2aab..45a04929170 100755 --- a/t/t1350-config-hooks-path.sh +++ b/t/t1350-config-hooks-path.sh @@ -41,4 +41,11 @@ test_expect_success 'git rev-parse --git-path hooks' ' test .git/custom-hooks/abc = "$(cat actual)" ' +test_expect_success 'core.hooksPath=/dev/null' ' + git clone -c core.hooksPath=/dev/null . no-templates && + value="$(git -C no-templates config --local core.hooksPath)" && + # The Bash used by Git for Windows rewrites `/dev/null` to `nul` + { test /dev/null = "$value" || test nul = "$value"; } +' + test_done From patchwork Sat May 18 10:32:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667562 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BF1338384 for ; Sat, 18 May 2024 10:32:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028380; cv=none; b=FfCL0z8wNMCe9ad5dUawsFNut96Hk3tc09zVrKqWuOD2vSzRI3Ps4DJolc6R9o7fSj2z5p2C9xCQT8JXSd2o6Kg8DDBk15igFWZIlbgp0Fve8jRK6/EaT/1jRdF0UNZEChOLPaya0DryiLwGi8g1fl4yAZD6FD+iJ5XQKNuTh6s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028380; c=relaxed/simple; bh=0xV52jjmT0eUFdfARNbKgVgZmDGiXMy05FdhFMXRJSc=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=gUodk9feM2JXU7sexbMGbBqVePPoDQcKxJFH00hqE6+ShMY4xPGcz7Q+W/igg8l3GQPZgnmYfbARVuJ9f3MvhnpRRVqfNkWAFZYCys13elHywJsI5XCK3v01ZlKmsI5oXmiieCSneIRkt+CW8c6C6aeDBO/KMKFLJMj5yzp7EMo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UnigFSOB; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UnigFSOB" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-420160f8f52so8495885e9.0 for ; Sat, 18 May 2024 03:32:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028376; x=1716633176; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=iLuolBlw/BCa8SAwGbeiIe56GkqWWJFI/oG0XotUlPk=; b=UnigFSOBDbwSgQUvkALOOqhaLhDtGaWealufghJUDZlHiZPKWHxiFv1VmWqBG3Yk/O MNiwen1HME/rL2sUTMYMHlX3/sSsc613Hji5If8ZUZtbN1VBvAounsWsocM39HGmpFYB 8viAiM+bpYTukc2RfUu3l8lUmv9tz9MMAX+WFghHvkM0okYx+NzSLG50Xz55ylLkJiPN BkMXKgGMKtBfjoUF+3liVfu4A1bdYeZ9Y+/r8/oBUYPwqvct6T/cgIiTboK/yyuJnSFf M7wsWvtkW3JhreyAI2fcFj6gZh2xcJb79CWwasJyltPwcuXJWd4QAZwpHuL9sUh6q4y7 XYGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028376; x=1716633176; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iLuolBlw/BCa8SAwGbeiIe56GkqWWJFI/oG0XotUlPk=; b=F3uTy7CocW4bCxGfJTXL/YMiK4ubqXOZC8MxAIhrb8TKNwPRAuu+QJk/DIKhnSwccs QGPIAQMwFe20E9ze3oS7v9la8fMMvRX5GoCkedyA8kJmnz3hHz3113zthTukwsk8YsY/ S/Q9DO7t+GNNvy2MhP4cvAfuyCc8BkIa1Ky7weceZ0Mb7ChwPka09KCbt+r5N0/ydfXK A0ky3aOLynN6blCObzeTu3aK7Yb8VEvrtjm9Ae0Nu0QR5S//z5I2mo6+QLW9b5NA2Meq 7NuY2du0MrVWuGYcqbQBy5j9Gl5GjcDVJoYfPqaQjy5pQ9yUqZAm+15mNNtYhMh76KWD vpzQ== X-Gm-Message-State: AOJu0Yx+NR3x1m5PIFS/0cRmkHNxm4pYMV/LFSMy5Cf4/AVbO1won0qM fuTae20KN53xgRSyybMcFOBCx6KqJ/TQlLHYKJjQGbIlWGyb8dedg4IBpQ== X-Google-Smtp-Source: AGHT+IEusBEpD4ojbeeLBLEqnkcNn/gKe7qfBaNTyTr/TQ0O2ccrGVXQwVFRwDBdENsXDuoQGT4jeQ== X-Received: by 2002:a05:600c:3544:b0:420:29dd:84d5 with SMTP id 5b1f17b1804b1-42029dd8898mr63171635e9.5.1716028375776; Sat, 18 May 2024 03:32:55 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4201da9895csm181294915e9.44.2024.05.18.03.32.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:54 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Sat, 18 May 2024 10:32:43 +0000 Subject: [PATCH v2 5/8] hook(clone protections): add escape hatch Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin As defense-in-depth measures, v2.39.4 and friends leading up to v2.45.1 introduced code that detects when hooks have been installed during a `git clone`, which is indicative of a common attack vector with critical severity that allows Remote Code Execution. There are legitimate use cases for such behavior, though, for example when those hooks stem from Git's own templates, which system administrators are at liberty to modify to enforce, say, commit message conventions. The git clone protections specifically add exceptions to allow for that. Another legitimate use case that has been identified too late to be handled in these security bug-fix versions is Git LFS: It behaves somewhat similar to common attack vectors by writing a few hooks while running the `smudge` filter during a regular clone, which means that Git has no chance to know that the hooks are benign and e.g. the `post-checkout` hook can be safely executed as part of the clone operation. To help Git LFS, and other tools behaving similarly (if there are any), let's add a new, multi-valued `safe.hook.sha256` config setting. Like the already-existing `safe.*` settings, it is ignored in repository-local configs, and it is interpreted as a list of SHA-256 checksums of hooks' contents that are safe to execute during a clone operation. Future Git LFS versions will need to write those entries at the same time they install the `smudge`/`clean` filters. Signed-off-by: Johannes Schindelin --- Documentation/config/safe.txt | 6 ++++ hook.c | 66 ++++++++++++++++++++++++++++++++--- t/t1800-hook.sh | 15 ++++++++ 3 files changed, 82 insertions(+), 5 deletions(-) diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index bde7f31459b..69ee845be89 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -59,3 +59,9 @@ which id the original user has. If that is not what you would prefer and want git to only trust repositories that are owned by root instead, then you can remove the `SUDO_UID` variable from root's environment before invoking git. + +safe.hook.sha256:: + The value is the SHA-256 of hooks that are considered to be safe + to run during a clone operation. ++ +Multiple values can be added via `git config --global --add`. diff --git a/hook.c b/hook.c index fc974cee1d8..a2479738451 100644 --- a/hook.c +++ b/hook.c @@ -2,6 +2,7 @@ #include "hook.h" #include "run-command.h" #include "config.h" +#include "strmap.h" static int identical_to_template_hook(const char *name, const char *path) { @@ -29,11 +30,65 @@ static int identical_to_template_hook(const char *name, const char *path) return ret; } +static struct strset safe_hook_sha256s = STRSET_INIT; +static int safe_hook_sha256s_initialized; + +static int get_sha256_of_file_contents(const char *path, char *sha256) +{ + struct strbuf sb = STRBUF_INIT; + int fd; + ssize_t res; + + git_hash_ctx ctx; + const struct git_hash_algo *algo = &hash_algos[GIT_HASH_SHA256]; + unsigned char hash[GIT_MAX_RAWSZ]; + + if ((fd = open(path, O_RDONLY)) < 0) + return -1; + res = strbuf_read(&sb, fd, 400); + close(fd); + if (res < 0) + return -1; + + algo->init_fn(&ctx); + algo->update_fn(&ctx, sb.buf, sb.len); + strbuf_release(&sb); + algo->final_fn(hash, &ctx); + + hash_to_hex_algop_r(sha256, hash, algo); + + return 0; +} + +static int safe_hook_cb(const char *key, const char *value, void *d) +{ + struct strset *set = d; + + if (value && !strcmp(key, "safe.hook.sha256")) + strset_add(set, value); + + return 0; +} + +static int is_hook_safe_during_clone(const char *name, const char *path, char *sha256) +{ + if (get_sha256_of_file_contents(path, sha256) < 0) + return 0; + + if (!safe_hook_sha256s_initialized) { + safe_hook_sha256s_initialized = 1; + git_protected_config(safe_hook_cb, &safe_hook_sha256s); + } + + return strset_contains(&safe_hook_sha256s, sha256); +} + const char *find_hook(const char *name) { static struct strbuf path = STRBUF_INIT; int found_hook; + char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' }; strbuf_reset(&path); strbuf_git_path(&path, "hooks/%s", name); @@ -65,13 +120,14 @@ const char *find_hook(const char *name) return NULL; } if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) && - !identical_to_template_hook(name, path.buf)) + !identical_to_template_hook(name, path.buf) && + !is_hook_safe_during_clone(name, path.buf, sha256)) die(_("active `%s` hook found during `git clone`:\n\t%s\n" "For security reasons, this is disallowed by default.\n" - "If this is intentional and the hook should actually " - "be run, please\nrun the command again with " - "`GIT_CLONE_PROTECTION_ACTIVE=false`"), - name, path.buf); + "If this is intentional and the hook is safe to run, " + "please run the following command and try again:\n\n" + " git config --global --add safe.hook.sha256 %s"), + name, path.buf, sha256); return path.buf; } diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh index 2ef3579fa7c..0f74c9154d0 100755 --- a/t/t1800-hook.sh +++ b/t/t1800-hook.sh @@ -177,4 +177,19 @@ test_expect_success 'git hook run a hook with a bad shebang' ' test_cmp expect actual ' +test_expect_success '`safe.hook.sha256` and clone protections' ' + git init safe-hook && + write_script safe-hook/.git/hooks/pre-push <<-\EOF && + echo "called hook" >safe-hook.log + EOF + + test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \ + git -C safe-hook hook run pre-push 2>err && + cmd="$(grep "git config --global --add safe.hook.sha256 [0-9a-f]" err)" && + eval "$cmd" && + GIT_CLONE_PROTECTION_ACTIVE=true \ + git -C safe-hook hook run pre-push && + test "called hook" = "$(cat safe-hook/safe-hook.log)" +' + test_done From patchwork Sat May 18 10:32:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667563 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 170F438FB9 for ; Sat, 18 May 2024 10:32:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028380; cv=none; b=LPx+YNzN6iSAB/EjtA/16g4tPlEvuWbLy8QOyM/8xG7yxFUrs7M46MvSIhOBeZz8RmGYIcRG11BEPD08+XRDoDmhFJjcRbLKgdFHXclSucx5m+PBD0yygz2B4gD6nArQq+vvvmieLEH30lp/hIrSWrxN+CKtYy9gHwOLf9BYL/Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028380; c=relaxed/simple; bh=m6kiufg4gp0OgW3ZydyK6oNOG9SdNtqfifm5s8dBLVc=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=WqCVHj7fqL/O/sEZy4Pi9ekSLhoadJBiGLyWM9rhazDOW56L1G8sjCNVaWPmYfdx7STqDK2JJS0wa0kvFku48sX/lvRoKrEBecgys7bP5KH6RJbsMqP5ye9o5KRua77PXlYfymZzGIYBVuwYjb8B5Lapg8pNuruAmkAyJwUQoYw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AuU5qDRe; arc=none smtp.client-ip=209.85.221.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AuU5qDRe" Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-351d309bbecso779484f8f.2 for ; Sat, 18 May 2024 03:32:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028377; x=1716633177; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=gOk3FTAovndPzq/IQ222GiH3kGFhNLcCQqINN45WbRo=; b=AuU5qDReUluMqLN0HVujY9OnyImu7irF4/khbrAaOaVG6duSRjdTRkgdqNGzEYwESt 8/X1I/xKUU7HV+pjRHvc3kkdRoRwbn4ZI+Ey6vdtPChC0e8yXmRc9NwrFTngXAyUOfXD y9ojgPG3fH9OdRF4IN3iNZ1Zs1Bo1s9Q9XzSVnIg9OLltCeFAKj7hNI9slW5ZGA0/tgO D8vh22YEId1SoHrfbW7gRAxWVrO9r8Vdr3UgoU8ilC3DRDPXYfssuuD/IZUmohh2dfQz MzdlsOGJmhZy592S7qt2j+w+jT1Kv00THodv5dcAhmLs7hp3n5pcyyA6e8z27YV55L0u x4Cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028377; x=1716633177; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gOk3FTAovndPzq/IQ222GiH3kGFhNLcCQqINN45WbRo=; b=tCSNRKzGnDPICr8LJNfNq5h2ZAKt7MLDq1LR2d30h2Jk/U7VWjlUzYbv5ItLkeBXDy 3okYnFu9z3J18AU7+bdzUxKW+rBqjgfn2byc6Czx1z5Tb5r6tUabYAEKSVySkByKq/Eo osrNQLcXczGh2B/c+g6f552biCwJI4zWJF4KakfSw8QfoYZ4uHffIxkOKeYdWOepK3Ha To5d7XIxwoTBxaI4X6HVDpjQ3lbWUN9QuLyhdiRX4q1wnQt2klDO2UP+VqlFNy3GpMjm nB63eHfg4FOhRZSz3AzWtdSi5UBZGnLe8Yyy+JKMGl4e2Q4NXbHFvoQTvgIxNzpdGoso XLbQ== X-Gm-Message-State: AOJu0Yz8CzPdtW2SxkWUyDZAIL6hua8otS1EKFK6o4NFCiEQQt9iTWsj tLP9627gsEarGSi1JEdiyb3WmlS0NHJCgS+0WmnArCYDSpJck00fy9ov5w== X-Google-Smtp-Source: AGHT+IFoDZr3Dr+CBC0h/TtaeiC/iyozurd/24MCowrYE946eV09QLz36fx4SBRJZwLXtzXUECrlGQ== X-Received: by 2002:adf:e8c1:0:b0:351:daf5:e28b with SMTP id ffacd0b85a97d-351daf5e375mr6558647f8f.23.1716028376661; Sat, 18 May 2024 03:32:56 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-41fd10cf8besm177802195e9.1.2024.05.18.03.32.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:56 -0700 (PDT) Message-Id: <5e5128bc232fbb822925efde20395484354492b6.1716028367.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Sat, 18 May 2024 10:32:44 +0000 Subject: [PATCH v2 6/8] hooks(clone protections): special-case current Git LFS hooks Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin A notable regression in v2.45.1 and friends (all the way down to v2.39.4) has been that Git LFS-enabled clones error out with a message indicating that the `post-checkout` hook has been tampered with while cloning, and as a safety measure it is not executed. A generic fix for benign third-party applications wishing to write hooks during clone operations has been implemented in the parent of this commit: said applications are expected to add `safe.hook.sha256` values to a protected config. However, the current version of Git LFS, v3.5.1, cannot be adapted retroactively; Therefore, let's just hard-code the SHA-256 values for this version. That way, Git LFS usage will no longer be broken, and the next Git LFS version can be taught to add those `safe.hook.sha256` entries. Signed-off-by: Johannes Schindelin --- hook.c | 11 +++++++++++ t/t1800-hook.sh | 20 ++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/hook.c b/hook.c index a2479738451..f81b13df142 100644 --- a/hook.c +++ b/hook.c @@ -77,6 +77,17 @@ static int is_hook_safe_during_clone(const char *name, const char *path, char *s if (!safe_hook_sha256s_initialized) { safe_hook_sha256s_initialized = 1; + + /* Hard-code known-safe values for Git LFS v3.4.0..v3.5.1 */ + /* pre-push */ + strset_add(&safe_hook_sha256s, "df5417b2daa3aa144c19681d1e997df7ebfe144fb7e3e05138bd80ae998008e4"); + /* post-checkout */ + strset_add(&safe_hook_sha256s, "791471b4ff472aab844a4fceaa48bbb0a12193616f971e8e940625498b4938a6"); + /* post-commit */ + strset_add(&safe_hook_sha256s, "21e961572bb3f43a5f2fbafc1cc764d86046cc2e5f0bbecebfe9684a0b73b664"); + /* post-merge */ + strset_add(&safe_hook_sha256s, "75da0da66a803b4b030ad50801ba57062c6196105eb1d2251590d100edb9390b"); + git_protected_config(safe_hook_cb, &safe_hook_sha256s); } diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh index 0f74c9154d0..af66999aff3 100755 --- a/t/t1800-hook.sh +++ b/t/t1800-hook.sh @@ -192,4 +192,24 @@ test_expect_success '`safe.hook.sha256` and clone protections' ' test "called hook" = "$(cat safe-hook/safe-hook.log)" ' +write_lfs_pre_push_hook () { + write_script "$1" <<-\EOF + command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'pre-push' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; } + git lfs pre-push "$@" + EOF +} + +test_expect_success 'Git LFS special-handling in clone protections' ' + git init lfs-hooks && + write_lfs_pre_push_hook lfs-hooks/.git/hooks/pre-push && + write_script git-lfs <<-\EOF && + echo "called $*" >fake-git-lfs.log + EOF + + PATH="$PWD:$PATH" GIT_CLONE_PROTECTION_ACTIVE=true \ + git -C lfs-hooks hook run pre-push && + test_write_lines "called pre-push" >expect && + test_cmp lfs-hooks/fake-git-lfs.log expect +' + test_done From patchwork Sat May 18 10:32:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667564 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B44239AE7 for ; Sat, 18 May 2024 10:32:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028382; cv=none; b=bt/n1oF/lF2x6WH7F+UpOVOzmzk6d58mO+mfZjrksNDvgpuIo8WEUu2EiJmQgV3fMNKkTZK6mWOZS1NnGx1DeTFsl4DFoT8I/r4xOHnNwV8jp8pvmMFLS2d0nyM+C0wgFH4lyBKNJ2yVF4O12nhKVBEP/bYgG+T4Lz9jN9EUhKc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028382; c=relaxed/simple; bh=CxnrtJgGPZIIx/97URim9Dl9+EAgkdPBP+aIaFTfsdA=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=vA/WKYMPWNJixiynL45IykueLk1yqw0myVHe10NVoZAUZ4ft/3+Bfq8LXNSZL3msN3NbQ7Y9PG+UkXgUbzaFnpFnQD8Nb7puJBpwdSlX+81f+5zt2z77qWh6TYvvFHqBfp0fY3zUNLk9BpjNpfFY3x7BjPdykN4Lym6cz5CAaWo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=R6tr/sto; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="R6tr/sto" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-420180b5922so11622445e9.2 for ; Sat, 18 May 2024 03:32:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028378; x=1716633178; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=B5iRr1/kZmqw5xIjvYHEIZu60wvxlWvTP3syrKM68bE=; b=R6tr/stow1Xo6rQ5C2sIWa5bDvc9jTc6EWfyXuxD0R4mmuwaMNk4AVDZoEDF0vqba2 KIY0iMAXdPJ5c1SF53LSaCY1uG8quSQS9Kl8hL/X3cbP0aCDflCfq8d/FVxiFhsJjp5T uDWI57idMIV9d9QQYW+Yut5AtgaqHtccx8MNoHguJmkiQV0709Mh4n4mVARR1uQ1ud9J VpiiC6ZBNT0ZWKRv5ZdA880960HXp3DOgRV9Ed5UJadX9Pngb1DZYW+9WEymRP54qEZV /PaWa33KYtgLfA5T9zcHdTRKaupbngRXW4FckKr9cBoUnIFxujiXjmv/3F96iMS/IIhX 1SLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028378; x=1716633178; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B5iRr1/kZmqw5xIjvYHEIZu60wvxlWvTP3syrKM68bE=; b=Xh3eNhjZJImbChh+eo2+UYrYd7U/ykYCqrbvq1/cjbHWbkogKVLUBNZX3mnZpmLqws uAf4scN6kyVS+z6zWHTCO2wQMi2AV4EfbI/hSl/4gZ2hRw8b7UUZRnlOT3VW2j/QR0o5 9Dy2mcOMVqlOp6v42goFjLvNv94xKYL5SU5s9gU90NsZQS/MQjXH91CIUSFVdpuOvZCL T77jfgOCFy+VvsRZ4H4fo7Hjq2gYqaCsFbibFx9w7C+nc7AGNSvuz5rsQzbikXPf8Yn1 4AvphHtsMkoW8dt1MPn5zLIfojOauCbJBZF8bo5nQXxNi7ogk9a9I+te5GsvKJkqPmEN tAgw== X-Gm-Message-State: AOJu0Yx6jMIrDPKkEelxpA8xTNmxvhabL3B2v1EpUoL8Gv6khidaRlbd oGx7Fh+2Upy3ZpIilKRvhzOR9p8mtFDp4CnbyUWQLHtxFVC1OKDopWY6bQ== X-Google-Smtp-Source: AGHT+IHTixptnmOOgn6Oxyh1ItQFI+Kezcm6o/BfaBRbHuiHUNh8PUFfDuI/d0bQpr66VsLQM8qigg== X-Received: by 2002:a05:600c:190c:b0:41a:47db:290c with SMTP id 5b1f17b1804b1-41fea93a099mr270351945e9.5.1716028378210; Sat, 18 May 2024 03:32:58 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-351b79e8e6bsm16163927f8f.65.2024.05.18.03.32.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:57 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Sat, 18 May 2024 10:32:45 +0000 Subject: [PATCH v2 7/8] hooks(clone protections): simplify templates hooks validation Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin When an active hook is encountered during a clone operation, to protect against Remote Code Execution attack vectors, Git checks whether the hook was copied over from the templates directory. When that logic was introduced, there was no other way to check this than to add a function to compare files. In the meantime, we've added code to compute the SHA-256 checksum of a given hook and compare that checksum against a list of known-safe ones. Let's simplify the logic by adding to said list when copying the templates' hooks. We need to be careful to support multi-process operations such as recursive submodule clones: In such a scenario, the list of SHA-256 checksums that is kept in memory is not enough, we also have to pass the information down to child processes via `GIT_CONFIG_PARAMETERS`. Extend the regression test in t5601 to ensure that recursive clones are handled as expected. Note: Technically there is no way that the checksums computed while initializing the submodules' gitdirs can be passed to the process that performs the checkout: For historical reasons, these operations are performed in processes spawned in separate loops from the super-project's `git clone` process. But since the templates from which the submodules are initialized are the very same as the ones from which the super-project is initialized, we can get away with using the list of SHA-256 checksums that is computed when initializing the super-project and passing that down to the `submodule--helper` processes that perform the recursive checkout. Signed-off-by: Johannes Schindelin --- builtin/init-db.c | 7 +++++++ hook.c | 43 ++++++++++++++++--------------------------- hook.h | 10 ++++++++++ setup.c | 1 + t/t5601-clone.sh | 19 +++++++++++++++++++ 5 files changed, 53 insertions(+), 27 deletions(-) diff --git a/builtin/init-db.c b/builtin/init-db.c index a101e7f94c1..64357fdada4 100644 --- a/builtin/init-db.c +++ b/builtin/init-db.c @@ -10,6 +10,8 @@ #include "exec-cmd.h" #include "parse-options.h" #include "worktree.h" +#include "run-command.h" +#include "hook.h" #ifdef NO_TRUSTABLE_FILEMODE #define TEST_FILEMODE 0 @@ -28,6 +30,7 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path, size_t path_baselen = path->len; size_t template_baselen = template_path->len; struct dirent *de; + int is_hooks_dir = ends_with(template_path->buf, "/hooks/"); /* Note: if ".git/hooks" file exists in the repository being * re-initialized, /etc/core-git/templates/hooks/update would @@ -80,6 +83,10 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path, strbuf_release(&lnk); } else if (S_ISREG(st_template.st_mode)) { + if (is_hooks_dir && + is_executable(template_path->buf)) + add_safe_hook(template_path->buf); + if (copy_file(path->buf, template_path->buf, st_template.st_mode)) die_errno(_("cannot copy '%s' to '%s'"), template_path->buf, path->buf); diff --git a/hook.c b/hook.c index f81b13df142..9e762cc9af6 100644 --- a/hook.c +++ b/hook.c @@ -4,32 +4,6 @@ #include "config.h" #include "strmap.h" -static int identical_to_template_hook(const char *name, const char *path) -{ - const char *env = getenv("GIT_CLONE_TEMPLATE_DIR"); - const char *template_dir = get_template_dir(env && *env ? env : NULL); - struct strbuf template_path = STRBUF_INIT; - int found_template_hook, ret; - - strbuf_addf(&template_path, "%s/hooks/%s", template_dir, name); - found_template_hook = access(template_path.buf, X_OK) >= 0; -#ifdef STRIP_EXTENSION - if (!found_template_hook) { - strbuf_addstr(&template_path, STRIP_EXTENSION); - found_template_hook = access(template_path.buf, X_OK) >= 0; - } -#endif - if (!found_template_hook) { - strbuf_release(&template_path); - return 0; - } - - ret = do_files_match(template_path.buf, path); - - strbuf_release(&template_path); - return ret; -} - static struct strset safe_hook_sha256s = STRSET_INIT; static int safe_hook_sha256s_initialized; @@ -60,6 +34,22 @@ static int get_sha256_of_file_contents(const char *path, char *sha256) return 0; } +void add_safe_hook(const char *path) +{ + char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' }; + + if (!get_sha256_of_file_contents(path, sha256)) { + char *p; + + strset_add(&safe_hook_sha256s, sha256); + + /* support multi-process operations e.g. recursive clones */ + p = xstrfmt("safe.hook.sha256=%s", sha256); + git_config_push_parameter(p); + free(p); + } +} + static int safe_hook_cb(const char *key, const char *value, void *d) { struct strset *set = d; @@ -131,7 +121,6 @@ const char *find_hook(const char *name) return NULL; } if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) && - !identical_to_template_hook(name, path.buf) && !is_hook_safe_during_clone(name, path.buf, sha256)) die(_("active `%s` hook found during `git clone`:\n\t%s\n" "For security reasons, this is disallowed by default.\n" diff --git a/hook.h b/hook.h index 4258b13da0d..e2034ee8b23 100644 --- a/hook.h +++ b/hook.h @@ -82,4 +82,14 @@ int run_hooks(const char *hook_name); * hook. This function behaves like the old run_hook_le() API. */ int run_hooks_l(const char *hook_name, ...); + +/** + * Mark the contents of the provided path as safe to run during a clone + * operation. + * + * This function is mainly used when copying templates to mark the + * just-copied hooks as benign. + */ +void add_safe_hook(const char *path); + #endif diff --git a/setup.c b/setup.c index c3301f5ab82..7f7538c9bf7 100644 --- a/setup.c +++ b/setup.c @@ -7,6 +7,7 @@ #include "promisor-remote.h" #include "quote.h" #include "exec-cmd.h" +#include "hook.h" static int inside_git_dir = -1; static int inside_work_tree = -1; diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 20deca0231b..71eaa3d1e14 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -819,6 +819,25 @@ test_expect_success 'clone with init.templatedir runs hooks' ' git config --unset init.templateDir && ! grep "active .* hook found" err && test_path_is_missing hook-run-local-config/hook.run + ) && + + test_config_global protocol.file.allow always && + git -C tmpl/hooks submodule add "$(pwd)/tmpl/hooks" sub && + test_tick && + git -C tmpl/hooks add .gitmodules sub && + git -C tmpl/hooks commit -m submodule && + + ( + sane_unset GIT_TEMPLATE_DIR && + NO_SET_GIT_TEMPLATE_DIR=t && + export NO_SET_GIT_TEMPLATE_DIR && + + git -c init.templateDir="$(pwd)/tmpl" \ + clone --recurse-submodules \ + tmpl/hooks hook-run-submodule 2>err && + ! grep "active .* hook found" err && + test_path_is_file hook-run-submodule/hook.run && + test_path_is_file hook-run-submodule/sub/hook.run ) ' From patchwork Sat May 18 10:32:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667565 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 600773AC36 for ; Sat, 18 May 2024 10:33:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028383; cv=none; b=Hl1aubFgsjnRbrjr3L3oaGI41nrMoILIawmxiTejU7Zvjwo/OK+BdJVEkqWswxHuFB+VjbkPYF/V1Z13aIXrNyqnRBpj3Tn8I+adRvXEQE97xVSRkpH6t/HLbwB3EhGVdFlRHbnPvb08bZokjRlP8ehWbFxt9knNV/4fvH3OpnY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716028383; c=relaxed/simple; bh=ldVou3LjvRyszwlkSq0AhyfPkMxbgdNiKzyu2EBNRqU=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=r3rd+kN0i4yHoQHfT9p39CDMrOfVOAw93Y3m4FpwuSd7NLh3UjnoxSAr9qY3S3URuWf1Yb0YnuCx8xHboVuhgzsdgt9fYRnN10tcPPHkhWXBgW9ywn1sQFdM73MqHiFpOWcvmu/LLldCV4T5u+ikRMTwnNIGPnVmBxwLzdF1hKw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NUMyNFmV; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NUMyNFmV" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4200ee78e56so8383185e9.3 for ; Sat, 18 May 2024 03:33:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716028379; x=1716633179; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=Zrr1+lMEsbdxBYmZl3ymH80XsSKj7Aucdz/ecD0EJAM=; b=NUMyNFmV957+IS7h0ZXrz7FSvXSHCR61zjq8LIyHMdC/7XL8uLQ55iwpLnIv/zSMhx /XhVjT0o9YhOcYIwz6TEXD2Zq1cTrKeu2zPTTjkPBgev79xU4UowvsAzjrzW32O2shp9 daenqlHvveZueBAHKU9sNKC7SxD3T9gebTfBEpPYKw+1/Rw3sq5yQALfwoTB0Z3rP/GO 9xhOTYUxLpAkE0dzF245DiD+nrM5cAJ4gtPQjYmWxF62kRHqOHPUWzVB4J7Bmj+Pifae 95mvVZuOyfmaAvlydlfKvTGkziq74XLm5/GiLqhfUtZ8bUNbvePmb5sD/zKe57a9IPyN PKaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716028379; x=1716633179; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zrr1+lMEsbdxBYmZl3ymH80XsSKj7Aucdz/ecD0EJAM=; b=NS7R5fpyYtxnMyqlCBXDAcezE6HjSlTpY1w4uAa7iBRilMzwaCfxgoghVPsDRvNmm7 NR/JcQvjZL25MFnr/KH4vKUp55vj7yo8M4uiml1yY2bdYwjJ2ZkqnZTd5KzeDbXxhiB6 jrvfFOlxA/6b6Le7ERcLrC4p0I13hUwp/fW3uSTr7andwwtw6+BQF+SoxCBm1YbmFZLf wbJFN1rod+v7SSCKhuyarXbFTcaKxK6Gc1K1zgjH+aEe9VMXN2cQUEfs2TNS5+IvG+9T S8I/2bkHXPZaHL00+GfR9aDanpjk2N2wRHmIPoGZ4FsbTTcppdNtm1PupdMFAhKNSeHz FIVw== X-Gm-Message-State: AOJu0YwmY4qmwlYQwhufcfNvbD9ulqLZslHE4LpViGwY6k6Wo1Xwq14g IdQaJYi3LhuJfnfkNYQWh1SHoJcUSRpbTJ9ltAoyXh/LtTRUGPdz+2xZtA== X-Google-Smtp-Source: AGHT+IFjGSfQoPwSv9Rbxa3cCOt2F8mWJDWTg/OtM6auBcTZexP/il//bBTDGWlyNa/l+txL+PwzUg== X-Received: by 2002:a05:600c:1d0f:b0:420:1125:dd79 with SMTP id 5b1f17b1804b1-4201125dfb4mr174539085e9.31.1716028379232; Sat, 18 May 2024 03:32:59 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-41fccbe8f74sm341808595e9.8.2024.05.18.03.32.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 May 2024 03:32:58 -0700 (PDT) Message-Id: <4b0a636d41a52513d57380589147a808840b4ad8.1716028367.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Sat, 18 May 2024 10:32:46 +0000 Subject: [PATCH v2 8/8] Revert "Add a helper function to compare file contents" Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: "brian m. carlson" , Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin Now that during a `git clone`, the hooks' contents are no longer compared to the templates' files', the caller for which the `do_files_match()` function was introduced is gone, and therefore this function can be retired, too. This reverts commit 584de0b4c23 (Add a helper function to compare file contents, 2024-03-30). Signed-off-by: Johannes Schindelin --- cache.h | 14 --------- copy.c | 58 -------------------------------------- t/helper/test-path-utils.c | 10 ------- t/t0060-path-utils.sh | 41 --------------------------- 4 files changed, 123 deletions(-) diff --git a/cache.h b/cache.h index 16b34799bfd..8c5fb1e1ba1 100644 --- a/cache.h +++ b/cache.h @@ -1785,20 +1785,6 @@ int copy_fd(int ifd, int ofd); int copy_file(const char *dst, const char *src, int mode); int copy_file_with_time(const char *dst, const char *src, int mode); -/* - * Compare the file mode and contents of two given files. - * - * If both files are actually symbolic links, the function returns 1 if the link - * targets are identical or 0 if they are not. - * - * If any of the two files cannot be accessed or in case of read failures, this - * function returns 0. - * - * If the file modes and contents are identical, the function returns 1, - * otherwise it returns 0. - */ -int do_files_match(const char *path1, const char *path2); - void write_or_die(int fd, const void *buf, size_t count); void fsync_or_die(int fd, const char *); int fsync_component(enum fsync_component component, int fd); diff --git a/copy.c b/copy.c index 8492f6fc831..4de6a110f09 100644 --- a/copy.c +++ b/copy.c @@ -65,61 +65,3 @@ int copy_file_with_time(const char *dst, const char *src, int mode) return copy_times(dst, src); return status; } - -static int do_symlinks_match(const char *path1, const char *path2) -{ - struct strbuf buf1 = STRBUF_INIT, buf2 = STRBUF_INIT; - int ret = 0; - - if (!strbuf_readlink(&buf1, path1, 0) && - !strbuf_readlink(&buf2, path2, 0)) - ret = !strcmp(buf1.buf, buf2.buf); - - strbuf_release(&buf1); - strbuf_release(&buf2); - return ret; -} - -int do_files_match(const char *path1, const char *path2) -{ - struct stat st1, st2; - int fd1 = -1, fd2 = -1, ret = 1; - char buf1[8192], buf2[8192]; - - if ((fd1 = open_nofollow(path1, O_RDONLY)) < 0 || - fstat(fd1, &st1) || !S_ISREG(st1.st_mode)) { - if (fd1 < 0 && errno == ELOOP) - /* maybe this is a symbolic link? */ - return do_symlinks_match(path1, path2); - ret = 0; - } else if ((fd2 = open_nofollow(path2, O_RDONLY)) < 0 || - fstat(fd2, &st2) || !S_ISREG(st2.st_mode)) { - ret = 0; - } - - if (ret) - /* to match, neither must be executable, or both */ - ret = !(st1.st_mode & 0111) == !(st2.st_mode & 0111); - - if (ret) - ret = st1.st_size == st2.st_size; - - while (ret) { - ssize_t len1 = read_in_full(fd1, buf1, sizeof(buf1)); - ssize_t len2 = read_in_full(fd2, buf2, sizeof(buf2)); - - if (len1 < 0 || len2 < 0 || len1 != len2) - ret = 0; /* read error or different file size */ - else if (!len1) /* len2 is also 0; hit EOF on both */ - break; /* ret is still true */ - else - ret = !memcmp(buf1, buf2, len1); - } - - if (fd1 >= 0) - close(fd1); - if (fd2 >= 0) - close(fd2); - - return ret; -} diff --git a/t/helper/test-path-utils.c b/t/helper/test-path-utils.c index 0e0de218076..f69709d674f 100644 --- a/t/helper/test-path-utils.c +++ b/t/helper/test-path-utils.c @@ -495,16 +495,6 @@ int cmd__path_utils(int argc, const char **argv) return !!res; } - if (argc == 4 && !strcmp(argv[1], "do_files_match")) { - int ret = do_files_match(argv[2], argv[3]); - - if (ret) - printf("equal\n"); - else - printf("different\n"); - return !ret; - } - fprintf(stderr, "%s: unknown function name: %s\n", argv[0], argv[1] ? argv[1] : "(there was none)"); return 1; diff --git a/t/t0060-path-utils.sh b/t/t0060-path-utils.sh index 73d0e1a7f10..68e29c904a6 100755 --- a/t/t0060-path-utils.sh +++ b/t/t0060-path-utils.sh @@ -560,45 +560,4 @@ test_expect_success !VALGRIND,RUNTIME_PREFIX,CAN_EXEC_IN_PWD '%(prefix)/ works' test_cmp expect actual ' -test_expect_success 'do_files_match()' ' - test_seq 0 10 >0-10.txt && - test_seq -1 10 >-1-10.txt && - test_seq 1 10 >1-10.txt && - test_seq 1 9 >1-9.txt && - test_seq 0 8 >0-8.txt && - - test-tool path-utils do_files_match 0-10.txt 0-10.txt >out && - - assert_fails() { - test_must_fail \ - test-tool path-utils do_files_match "$1" "$2" >out && - grep different out - } && - - assert_fails 0-8.txt 1-9.txt && - assert_fails -1-10.txt 0-10.txt && - assert_fails 1-10.txt 1-9.txt && - assert_fails 1-10.txt .git && - assert_fails does-not-exist 1-10.txt && - - if test_have_prereq FILEMODE - then - cp 0-10.txt 0-10.x && - chmod a+x 0-10.x && - assert_fails 0-10.txt 0-10.x - fi && - - if test_have_prereq SYMLINKS - then - ln -sf 0-10.txt symlink && - ln -s 0-10.txt another-symlink && - ln -s over-the-ocean yet-another-symlink && - ln -s "$PWD/0-10.txt" absolute-symlink && - assert_fails 0-10.txt symlink && - test-tool path-utils do_files_match symlink another-symlink && - assert_fails symlink yet-another-symlink && - assert_fails symlink absolute-symlink - fi -' - test_done