From patchwork Fri May 17 23:15:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667418 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06A9F266A7 for ; Fri, 17 May 2024 23:16:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987763; cv=none; b=HZBnfNCMZZ67eFLKnUtwQJq5842lL2m5py0AUKvBWQbu9QtErbY8lrndyP8ZlanbIInlN5lnLNxhwzw/R+7YfW3xTmuvcNEmGCcLdScXdGC2R2fHbl5y/KC350n+uTIah83AG6qEswJWz0xwwM5GthRW6mSg0VAI/j6iocuBe+A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987763; c=relaxed/simple; bh=eomBttJUDugeAh4/E/RHJ5Kl046QR71tdtyo18mV/ck=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=or2JDC1aWz/LgFVpbyw90KK53zCMP9JPL5L+/GWDb8Eme9EEG2KUPzwsqNa1rSCUWybBdFHb98AGbRsoFEz/RQEKaLPbznYbepWKel6pr0mKudm++O+R+RBY/P1nxf/hwkgj6uCzpYJq2oO33GAqiufIYCOzmHJRSa/ZaQ1fZR8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FvGpuLXe; arc=none smtp.client-ip=209.85.221.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FvGpuLXe" Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-34da04e44a2so551605f8f.1 for ; Fri, 17 May 2024 16:16:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987760; x=1716592560; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=Pa4ywTRMbTP0sOgRCz5rqk9gwHUD4hcDu9QhBPTQQ6M=; b=FvGpuLXeRLmYLbjbwTWl1thmCAuEPKk3XEGNwwkXJoloz3CcTyyNE7b1mXyltF0pmn GYn7tmYyP5tkKRCf0QMpXovulDD458iOWAQ4qGN9ET+/HBxCI6/zWgMPM4jdFC7RLgX8 QwLn69VNG9K/SrCGtZnFPaGdurvA0xHBrHfvY9g7ZQFnyQ3v9BMdZvn2TAtYtL4tLozH CMHaG7H4Gz3roV+g6HPtOem+VxPC823c4wEHY5ukj3kK3MEu8oHrOPIsIPyyx3IPGoHW Iyxx8KAvTwAaBFRsCSicuUQd+Jd5XSs5JEKw9S5QkI14otnIAtCjNvPiC4aaCpMk/2+g PCPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987760; x=1716592560; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Pa4ywTRMbTP0sOgRCz5rqk9gwHUD4hcDu9QhBPTQQ6M=; b=EkaVYKSnj/wIAnSjblfB/5yWIdYsjyT/Sv2FvT+E5A7Ohz6eTv8P3GuAtKmELwSAKV lf3S7fDZfXG0xhFcYmHhXuWYm5FI8PityT/NYFdaKhD4lxJlj8fj9nsT91bjE/vFUm0V jks/ckmvv/RBET6o6cfJL1tXpE3jJImTJS7UtDruWWXDr+xPYU7apnBCwul6TPZedCI7 IPBDlu23X+V1aBxeFJwYR0LqOJuuwdSVrXrKR80BecFt06lg70WBSpeXi9UeWmRVLOtA Ccbu73zqJoC2696ZXlcZOqXHZ6VdEdZHq9tAJk026dnXWa4l6gqzzoBmud1/JTd1gvy9 KaeQ== X-Gm-Message-State: AOJu0YwFC0bk6CFt7Dvpis26WwZynLCjmArUOCjxFVCQQxWYqk162qGT W+jnLMe3e6wkEtjIsVJlv60tZF8ztBabcZw6/pUde1C74g58whzaWPq1VA== X-Google-Smtp-Source: AGHT+IEFxIDjmH59e/Q62RqP42Em7ovvYCTbH+WcBN2MPslnYBowYiKVuZQlkkdbLqoI/WRzcivn/w== X-Received: by 2002:adf:e68e:0:b0:34d:b40e:79cd with SMTP id ffacd0b85a97d-3504a739593mr15999650f8f.42.1715987759658; Fri, 17 May 2024 16:15:59 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3502b79bc8esm22521637f8f.15.2024.05.17.16.15.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:15:58 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Fri, 17 May 2024 23:15:49 +0000 Subject: [PATCH 1/8] hook: plug a new memory leak Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin In 8db1e8743c0 (clone: prevent hooks from running during a clone, 2024-03-28), I introduced an inadvertent memory leak that was unfortunately not caught before v2.45.1 was released. Here is a fix. Signed-off-by: Johannes Schindelin --- hook.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hook.c b/hook.c index 632b537b993..fc974cee1d8 100644 --- a/hook.c +++ b/hook.c @@ -18,8 +18,10 @@ static int identical_to_template_hook(const char *name, const char *path) found_template_hook = access(template_path.buf, X_OK) >= 0; } #endif - if (!found_template_hook) + if (!found_template_hook) { + strbuf_release(&template_path); return 0; + } ret = do_files_match(template_path.buf, path); From patchwork Fri May 17 23:15:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667419 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DD412A1D2 for ; Fri, 17 May 2024 23:16:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987764; cv=none; b=CO5Op1GpmR5vQH7Ws2g/A/sF6+PYysmmL/V2yQVfFMhEvcGVG5pP6pPauYHhqw9CXncVhmjztli85UFwf4j1+UrxLxF2J7nOEvzamSIhLC+8c9CxebgbxTOxvWJM6cr/PBkmZ6HARRUWUzIM+9zzHk0go0yGdQNnHw4R4DGTGgY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987764; c=relaxed/simple; bh=g3mcr9oNJA2YWVKdqdh6JD9CfQ682VkR8dwEEitGi70=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=bZCjRT78JfGI95aKfnC2NJcJSKjSEtrl66ikatvSDDOGGrJQQEfNuke1oOjYgFS4BVxDsRkDB4qiEAJuvCVj9NZse1/mjSkUecEN5yhXlAWzD/2a7c6ERyaCJFsEmD64KRI/uS3ZqGHt70cvD26DUcsplnZXkvOejYlOnWyiLQA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IkrtW+0/; arc=none smtp.client-ip=209.85.221.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IkrtW+0/" Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-354b722fe81so434974f8f.3 for ; Fri, 17 May 2024 16:16:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987760; x=1716592560; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=p3TcY6SNGMN9D4Tqo4JhzJB1VLG5CDwDx+Tm37TVHyE=; b=IkrtW+0/F8PWJe/OfeNOoJGDKKJ+DDQP9wJRVbrn19mpEqMo33zumNqf3NXRvIZSA/ btImjwiQ+dy/ZSJNPuRWQLRGk+4x+wIpYEINPZdUMAC0UdNJrUBjbAmmVeWdbLUsfU3C xttg9b9GYOyacaWRiqcu8/Y0z5O1YVMC8hT8NvzfyuEgvcWj2hTaPmokfnTECYodHiIf YU6L3x4zsogFEQlRGXnk3/q9u9SL80dDrZXNuu/9Tr06Mudi/VQWP9AF/M01KTAJykK1 4nGiN7vYXWYXwP5gbzSOidjzJgNBGhLPJTrVYXftKLl6eMQzFnljiHSHBB8q6EuMDyno B79A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987760; x=1716592560; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p3TcY6SNGMN9D4Tqo4JhzJB1VLG5CDwDx+Tm37TVHyE=; b=Hf3r9nRTeGmtz5G3Nb3AgTqSY+Pd3Bk2rzmxdvjPkB4hP9ojT6nLyWwS24SOIYc51e pnB1VTYooM3ejSPTGow8HRaStPGjzaYZEp4MNF/I4YIgxcsPNe15VlAiWIPA/uby4Lu2 SyzQFZAxYxRM5pOfqYaFrP5vAaC78+PnPV+ONIPnE7VBTCeJs+Uzd/OYUcvGXcwi8fZn zFqNO4aQwdkJfplrEk97qFwSZGyrG9RlDeAvMLXiThFJbndGATHMOFfDbEX2QmK+6nhW j5lLXSCm/cqRWTATV5qMONm60VJHKpSboFcWRvbVrM28WMXN2mzlHNpL2yxrpLYti2F2 XUKA== X-Gm-Message-State: AOJu0YwieQjLKFWHXsEotrqDYH/q1WoIDo3tzSk2s0lnYDx4X+ivjaT8 xsXXPl5sDRY01qadiamxLyv60Q+dIHtoByOgSWrfffR1NKQO6wlAXJxbAA== X-Google-Smtp-Source: AGHT+IFq2ppLGqWlaRGCSWdtKLFfOH2jA0LvCmTk2e1lwLyTU1BaL98LKLP7gwe9iv4K4tuvDg/Rqg== X-Received: by 2002:a05:6000:1010:b0:351:d383:631e with SMTP id ffacd0b85a97d-351d3836377mr5139480f8f.24.1715987760417; Fri, 17 May 2024 16:16:00 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3502baad058sm22522615f8f.66.2024.05.17.16.15.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:16:00 -0700 (PDT) Message-Id: <961dfc35f426388d660cca4e92f43e169819886a.1715987756.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Fri, 17 May 2024 23:15:50 +0000 Subject: [PATCH 2/8] init: use the correct path of the templates directory again Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin In df93e407f06 (init: refactor the template directory discovery into its own function, 2024-03-29), I refactored the way the templates directory is discovered. The refactoring was faithful, but missed a reference in the `Makefile` where the `DEFAULT_GIT_TEMPLATE_DIR` constant is defined. As a consequence, Git v2.45.1 and friends will always use the hard-coded path `/usr/share/git-core/templates`. Let's fix that by defining the `DEFAULT_GIT_TEMPLATE_DIR` when building `setup.o`, where that constant is actually used. Signed-off-by: Johannes Schindelin --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 093829ae283..4b1502ba2c6 100644 --- a/Makefile +++ b/Makefile @@ -2751,7 +2751,7 @@ exec-cmd.sp exec-cmd.s exec-cmd.o: EXTRA_CPPFLAGS = \ '-DFALLBACK_RUNTIME_PREFIX="$(prefix_SQ)"' builtin/init-db.sp builtin/init-db.s builtin/init-db.o: GIT-PREFIX -builtin/init-db.sp builtin/init-db.s builtin/init-db.o: EXTRA_CPPFLAGS = \ +setup.sp setup.s setup.o: EXTRA_CPPFLAGS = \ -DDEFAULT_GIT_TEMPLATE_DIR='"$(template_dir_SQ)"' config.sp config.s config.o: GIT-PREFIX From patchwork Fri May 17 23:15:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667420 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 437D01411C6 for ; Fri, 17 May 2024 23:16:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987764; cv=none; b=ExAIVweGd2nO9UJmynGqAS65100ARuZQXMXrE8RJA/dCanuVv+JHbz71oUFEXgH4MslcI27IqZkR44Kbd08sf7RTXjr+CPvrQEcvAg0cOHjNE7jihUTLLyDQDafIlqAOCRuZBunoO3oDuQZ0VAdCxawdfat/5StA4cDro0J5his= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987764; c=relaxed/simple; bh=NACUjCKOyFbBT9Jcvg+gdcvRvWOxx7KfWVnfiD/FlN4=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=XMiUcHkyukU1dylgKPhZvURtm/6jGJLGIwpLDAnYIJESzypR8c7gmfv55oihj5i1vKn8oBrgrQQt7Qd+MgEFUBXj5QharPIy7Qkm5gUkmCfSnR2WfbpBx98yWUi0D1JL9MVoSc1uIm0yg0Coq8TxnU/5axkYhGp7uX2KGlaTosc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WHPaRNkW; arc=none smtp.client-ip=209.85.221.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WHPaRNkW" Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-34db6a299b8so510703f8f.3 for ; Fri, 17 May 2024 16:16:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987761; x=1716592561; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=i6d3NikhGkK867apaAyTM/p8Uvw8q8n1MJ0T9cVpYng=; b=WHPaRNkW9RXW+twLGJg/sgUhks9ocQ2oZQ+0g5YvNrDXmlfkBwk1wUGOkUIVZXca1F E+00oUPfZJXV2POc6FFH5jowe06uqwq+BJ3sK3y+o9P+O6DmZXgd8VPfSdrApAc53BRK 4wBqHHh0IHSmHv5fpfbIa3LoG6jmPoHQKK506E1FAanpHhcSpQkM84MELvHcZgCYKfDt HhikwPq6liBelK/fapvzpExd3ddJtMPeSB6B1qwWefoOpdvwXaqKICRSA+UXxvifGsSa CwzJqJ+7H+TNY0x/y2+PaInzJyBOO3go+VUkgp5mRUbKUobrGZiMinb5xpYhRaGRQ5sb uKhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987761; x=1716592561; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i6d3NikhGkK867apaAyTM/p8Uvw8q8n1MJ0T9cVpYng=; b=g8Va3EeOSdWzyTCZzs/QaiOrw8UR5+zyPf+IwmkD/oRSs8qPI8GLp3pYfgVyFY9GxY D/ZydlczxAcr5J3MwoCEVF3/39BpGers+OpUGZ/gzjFoRKUBmTcOxS5faSEqrSswcIRN LEcVzJkSm6W9GYQCcPkmNEkAWwaoOTygtSQQ8/GdvKx8Zz/LGRE5n3ZAzw8HShr2uZZT joKkxDvZkoLql0nR7JrfxklIIx3ZC6/BGYtO5OW7aDpVacOHH5Sk+zhauo81YlVKBY3T Hs9HcHwFGVNQDFHxOpSGQj4qUsb+zMzYIBTf9tix5muB8a7xCkcWOLf4Y0/O9EzeHXhI DO4w== X-Gm-Message-State: AOJu0YzFxJil95NHb7BOO2aOBH/q8z1uM78F2IWR40y96cP95Iu6Aywy WGfhuTyx4/YnJZdAgKueKWCt4/1XglwdIL5cQZALU1JyORKSJsJat7Vg8w== X-Google-Smtp-Source: AGHT+IGeRCm13beF3yUS8rBe7/WpVutucYrcAoRsP2dbaHLt+wauo8KEVwbWWq7PyBYqVU24GcdXbg== X-Received: by 2002:a05:6000:12d0:b0:34d:b5b7:6189 with SMTP id ffacd0b85a97d-3504a96ce11mr15165040f8f.58.1715987761379; Fri, 17 May 2024 16:16:01 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3502baacef2sm22758391f8f.85.2024.05.17.16.16.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:16:00 -0700 (PDT) Message-Id: <57db89a14977bdff01f8f82cb4d6f85cc49d4b55.1715987756.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Fri, 17 May 2024 23:15:51 +0000 Subject: [PATCH 3/8] Revert "core.hooksPath: add some protection while cloning" Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin This defense-in-depth was intended to protect the clone operation against future escalations where bugs in `git clone` would allow attackers to write arbitrary files in the `.git/` directory would allow for Remote Code Execution attacks via maliciously-placed hooks. However, it turns out that the `core.hooksPath` protection has unintentional side effects so severe that they do not justify the benefit of the protections. For example, it has been reported in https://lore.kernel.org/git/FAFA34CB-9732-4A0A-87FB-BDB272E6AEE8@alchemists.io/ that the following invocation, which is intended to make `git clone` safer, is itself broken by that protective measure: git clone --config core.hooksPath=/dev/null Since it turns out that the benefit does not justify the cost, let's revert 20f3588efc6 (core.hooksPath: add some protection while cloning, 2024-03-30). Signed-off-by: Johannes Schindelin --- config.c | 13 +------------ t/t1800-hook.sh | 15 --------------- 2 files changed, 1 insertion(+), 27 deletions(-) diff --git a/config.c b/config.c index 85b37f2ee09..8c1c4071f0d 100644 --- a/config.c +++ b/config.c @@ -1525,19 +1525,8 @@ static int git_default_core_config(const char *var, const char *value, void *cb) if (!strcmp(var, "core.attributesfile")) return git_config_pathname(&git_attributes_file, var, value); - if (!strcmp(var, "core.hookspath")) { - if (current_config_scope() == CONFIG_SCOPE_LOCAL && - git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0)) - die(_("active `core.hooksPath` found in the local " - "repository config:\n\t%s\nFor security " - "reasons, this is disallowed by default.\nIf " - "this is intentional and the hook should " - "actually be run, please\nrun the command " - "again with " - "`GIT_CLONE_PROTECTION_ACTIVE=false`"), - value); + if (!strcmp(var, "core.hookspath")) return git_config_pathname(&git_hooks_path, var, value); - } if (!strcmp(var, "core.bare")) { is_bare_repository_cfg = git_config_bool(var, value); diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh index 7ee12e6f48a..2ef3579fa7c 100755 --- a/t/t1800-hook.sh +++ b/t/t1800-hook.sh @@ -177,19 +177,4 @@ test_expect_success 'git hook run a hook with a bad shebang' ' test_cmp expect actual ' -test_expect_success 'clone protections' ' - test_config core.hooksPath "$(pwd)/my-hooks" && - mkdir -p my-hooks && - write_script my-hooks/test-hook <<-\EOF && - echo Hook ran $1 - EOF - - git hook run test-hook 2>err && - grep "Hook ran" err && - test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \ - git hook run test-hook 2>err && - grep "active .core.hooksPath" err && - ! grep "Hook ran" err -' - test_done From patchwork Fri May 17 23:15:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667421 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4908B14198A for ; Fri, 17 May 2024 23:16:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987765; cv=none; b=jVceO6gkBXAZNNi8eji2v2Y3w1oK20mcEy+Tf18ZaZ24y1JHGXp+KlNRDLseOUtgC1KIcUCHc3b/PMR/Fe5Hab7W5oWrrjnkkEZFcNw8Ec1sSd51cidvFBwEiEqzmKtL2oSjFZjukQODExIVThNiDnCwBHVNmAgf7mB8x3KNgZ0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987765; c=relaxed/simple; bh=nBY7fo6xdq85d2tV09GeFwAg/gEU5cYmDJWqhMOaHhA=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=BGq8WCRfSmLUsRy6t83W0nYCNlbbjAndcpxMndlWNbSHYOuOUX3Y4qtx5SZ00NoMY2zemNeoez+memZwzNv1H5JGstyC+UIDCgBxAR4uWCAADivAPSEW3fD9v9oKk6202+tlIw9GtexDZmAbVZnfO0y0NITkF8Hdk7o2e+Jc/+w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Zmm+sSbm; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Zmm+sSbm" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4202c0d316cso3462835e9.1 for ; Fri, 17 May 2024 16:16:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987762; x=1716592562; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=0w/5eLRUAQNj9Fjdip1J3pbt9hbch3qiKFHcJA5wueM=; b=Zmm+sSbmrFDhQY1+eA7ITOj3qQ5M9MvqTknRsSFuka2mesOAuQd9h/sXf/UOkPefMd qCDKeN8rSkr6QlhuMoK0e78oPwMD5O0MfB8THZho2CmW96vGf42B+WXwlWWqf4/HYd06 YNYiE7r8St+Aoi4luUAGR2KxcPVYITA2Qe52XygdQaOC4mvBLXGrQMZw8VxcBhKSuamC sF+3wYG52zviNSrACsg1o/+qj6CP2uCUe8S8nOAsNuhfiKLNIiatD+aOlOxcNk04Arf+ 7zaYmo8KVxpS0ys0r4qZmMt9wRKsNJTnlghR3c4Mt+efEN+FPgIBZvBFOmXqoTHK2RyJ d6Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987762; x=1716592562; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0w/5eLRUAQNj9Fjdip1J3pbt9hbch3qiKFHcJA5wueM=; b=GtS9y3x4+zqfr35YyWMKj9wUTxMpRxY5HkjbTAW8KOYddfxfP09WM6jvEDFF1sApMV RC9KuyTxRVEAAdwtaZquwyyR/1VjWL1aLRWpZhb9JrGBoGONeTxSQBkG8+Ia4yzf4RiW caKRbq4BRhsVxaADV4/uZYLvYTP8YmvOnY91QQyB9PcpRZUF4I9rw/kSdNXgAd7F4Q4I 9W9T/Zgku/bVddDi/vWGHMWQcQdg0XzpZ7o04Fp9vFs1QCJEWq/0SpLEWPP+uvZ342cG zIZfT/YT9Ucy91vxqxD3TX1C+MkPQ3AdAdn3xAgSv2UwmeMDGbJBIyx4JGtqlO2ZeaRM gn8w== X-Gm-Message-State: AOJu0YwLxEmmvXwrG/0ymmi3s56hO1wXdaIjuftcO/SxB308+onw+VLC gOEUtSIaODR5J68eXh0KEW2nZ1XO+ZBHOiwakUW41zdUcLnjyFKRKU9ROw== X-Google-Smtp-Source: AGHT+IHCMZT8QmGYpKZp0Np2Voig2+PURwuDAsWPuJwXZxnjc7eeIv8Z39ZwsTBUJkaAgdj3iviV0w== X-Received: by 2002:a5d:620e:0:b0:34e:3d3a:e144 with SMTP id ffacd0b85a97d-354b8de79dfmr331350f8f.2.1715987762378; Fri, 17 May 2024 16:16:02 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3502b8969f0sm22726698f8f.28.2024.05.17.16.16.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:16:02 -0700 (PDT) Message-Id: <7d5ef6db2a9c3c7a1b0ba78873d4202403768769.1715987756.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Fri, 17 May 2024 23:15:52 +0000 Subject: [PATCH 4/8] tests: verify that `clone -c core.hooksPath=/dev/null` works again Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin As part of the protections added in Git v2.45.1 and friends, repository-local `core.hooksPath` settings are no longer allowed, as a defense-in-depth mechanism to prevent future Git vulnerabilities to raise to critical level if those vulnerabilities inadvertently allow the repository-local config to be written. What the added protection did not anticipate is that such a repository-local `core.hooksPath` can not only be used to point to maliciously-placed scripts in the current worktree, but also to _prevent_ hooks from being called altogether. We just reverted the `core.hooksPath` protections, based on the Git maintainer's recommendation in https://lore.kernel.org/git/xmqq4jaxvm8z.fsf@gitster.g/ to address this concern as well as related ones. Let's make sure that we won't regress while trying to protect the clone operation further. Reported-by: Brooke Kuhlmann Signed-off-by: Johannes Schindelin --- t/t1350-config-hooks-path.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/t/t1350-config-hooks-path.sh b/t/t1350-config-hooks-path.sh index f6dc83e2aab..1eae346a6e3 100755 --- a/t/t1350-config-hooks-path.sh +++ b/t/t1350-config-hooks-path.sh @@ -41,4 +41,8 @@ test_expect_success 'git rev-parse --git-path hooks' ' test .git/custom-hooks/abc = "$(cat actual)" ' +test_expect_success 'core.hooksPath=/dev/null' ' + git clone -c core.hooksPath=/dev/null . no-templates +' + test_done From patchwork Fri May 17 23:15:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667422 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75FD51420B3 for ; Fri, 17 May 2024 23:16:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987767; cv=none; b=FD1xv/8GmcV5adCwLuig96r9k3oi9bVdEt7Ij87sCnXY/D9HmBW9jgLmoDE7i0oi0ymDr9eibobA5C2AURYT5pTkEUkC/b0nixvwOtMo2jqnYB5+6BjlpHWyn34H1OUBelx6rE5v0hTnanXvYk21kQKPkSx+NUFalWv74SDSODE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987767; c=relaxed/simple; bh=0xV52jjmT0eUFdfARNbKgVgZmDGiXMy05FdhFMXRJSc=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=i31g8uDA/0TbvhludzGjWmQTBK4DqF/WDz+gmEBYdMdgWY3SEU7JlHk/qp9AvY2cgKeQx5qyFr0r7se2jBGAh3SvwZT976hmZt7mj6jcVXkSSLqsoCbv3KW1GqrQywJLII21sjIZVGr0/KLhrI8z0uZ+QJVd3TDywElWrVUwFm4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f0SiGMt+; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f0SiGMt+" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4202dd90dcfso6427055e9.0 for ; Fri, 17 May 2024 16:16:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987763; x=1716592563; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=iLuolBlw/BCa8SAwGbeiIe56GkqWWJFI/oG0XotUlPk=; b=f0SiGMt+E0Xiq8wI1w1f42XmyWQxSd2CObsQEgCmYgFNQzfmYv4fp2qmNTZ/W+qFh5 v7BtJ26n/ChSj6XhIYrj4LK+kjkL7sLuqdmOetbKDr/CjmcqbdJp3RbVC4Yt3ZIzrC3c Nlhs8G8GFi1Ko16qWED6jW+o/I8sBSqp146PyxzDMDhTFHvANsX3ZY7aH2rkVw9Jdy8b naAQFtB5HLg+wX9iLt2N1V0vGde/w7zrpi8ueCRfw1IRdjiLhOapCCH8iNt1qqrXNwGx pEdiadxh/3ObiL1a50ZeQ0g1D2ByVj6X/vuImKbsapigKFkgcVwANgMwCAse2KhOodFY ZKXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987763; x=1716592563; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iLuolBlw/BCa8SAwGbeiIe56GkqWWJFI/oG0XotUlPk=; b=dMarSQv8bBS9I7aT5PNAqwmCgg/3+2pXE1akKY6+krpx6Zah+s6uitgf2yHJt+ST+U mui1Xp8f9oamPMmPLuiBdRIPT78OLBpLb4WG0SDChZevS6sQWpGGmD/VIl2fafOM+Jyr KUlrwd3ZnKYAeguUkD3nwECW5Vt1znvto2iSibSG4HLmM9l7UloA/w8f40P/fOlUk9B7 3+/HjZi49XUs5AN13Ml8pzssfDWEjiFuPwUoBasV8+PKjuXCcR9osQMFtBxeC0YsYFtT 3LNxJs0QrW1+m8UbfGk+HghC2V14HkhueGCk2RHVTHW0c0oALA/V0REl+oZra9n8Gn7r ErwA== X-Gm-Message-State: AOJu0YxDKxGpfx2au4rzv/LgXAc/jg3sVFWzKE2XQnmUB0Jl0SxTebtU pAOsxLxxodJaTrvlmT/hNb8dJSua2oFtdgFc4wl/JUOG+FbZg9+G9d+KoA== X-Google-Smtp-Source: AGHT+IHR/Ta3WwsuA1/z1A0kP1Oj+iR7LUpuO8FsvsRoC4AUL2PEEmkuQXjnHDSF6G/ECwZEnU4aPg== X-Received: by 2002:a05:600c:1e13:b0:420:2986:ccee with SMTP id 5b1f17b1804b1-4202986d070mr54799705e9.30.1715987763256; Fri, 17 May 2024 16:16:03 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-41fccbe8fa6sm321993255e9.2.2024.05.17.16.16.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:16:02 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Fri, 17 May 2024 23:15:53 +0000 Subject: [PATCH 5/8] hook(clone protections): add escape hatch Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin As defense-in-depth measures, v2.39.4 and friends leading up to v2.45.1 introduced code that detects when hooks have been installed during a `git clone`, which is indicative of a common attack vector with critical severity that allows Remote Code Execution. There are legitimate use cases for such behavior, though, for example when those hooks stem from Git's own templates, which system administrators are at liberty to modify to enforce, say, commit message conventions. The git clone protections specifically add exceptions to allow for that. Another legitimate use case that has been identified too late to be handled in these security bug-fix versions is Git LFS: It behaves somewhat similar to common attack vectors by writing a few hooks while running the `smudge` filter during a regular clone, which means that Git has no chance to know that the hooks are benign and e.g. the `post-checkout` hook can be safely executed as part of the clone operation. To help Git LFS, and other tools behaving similarly (if there are any), let's add a new, multi-valued `safe.hook.sha256` config setting. Like the already-existing `safe.*` settings, it is ignored in repository-local configs, and it is interpreted as a list of SHA-256 checksums of hooks' contents that are safe to execute during a clone operation. Future Git LFS versions will need to write those entries at the same time they install the `smudge`/`clean` filters. Signed-off-by: Johannes Schindelin --- Documentation/config/safe.txt | 6 ++++ hook.c | 66 ++++++++++++++++++++++++++++++++--- t/t1800-hook.sh | 15 ++++++++ 3 files changed, 82 insertions(+), 5 deletions(-) diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index bde7f31459b..69ee845be89 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -59,3 +59,9 @@ which id the original user has. If that is not what you would prefer and want git to only trust repositories that are owned by root instead, then you can remove the `SUDO_UID` variable from root's environment before invoking git. + +safe.hook.sha256:: + The value is the SHA-256 of hooks that are considered to be safe + to run during a clone operation. ++ +Multiple values can be added via `git config --global --add`. diff --git a/hook.c b/hook.c index fc974cee1d8..a2479738451 100644 --- a/hook.c +++ b/hook.c @@ -2,6 +2,7 @@ #include "hook.h" #include "run-command.h" #include "config.h" +#include "strmap.h" static int identical_to_template_hook(const char *name, const char *path) { @@ -29,11 +30,65 @@ static int identical_to_template_hook(const char *name, const char *path) return ret; } +static struct strset safe_hook_sha256s = STRSET_INIT; +static int safe_hook_sha256s_initialized; + +static int get_sha256_of_file_contents(const char *path, char *sha256) +{ + struct strbuf sb = STRBUF_INIT; + int fd; + ssize_t res; + + git_hash_ctx ctx; + const struct git_hash_algo *algo = &hash_algos[GIT_HASH_SHA256]; + unsigned char hash[GIT_MAX_RAWSZ]; + + if ((fd = open(path, O_RDONLY)) < 0) + return -1; + res = strbuf_read(&sb, fd, 400); + close(fd); + if (res < 0) + return -1; + + algo->init_fn(&ctx); + algo->update_fn(&ctx, sb.buf, sb.len); + strbuf_release(&sb); + algo->final_fn(hash, &ctx); + + hash_to_hex_algop_r(sha256, hash, algo); + + return 0; +} + +static int safe_hook_cb(const char *key, const char *value, void *d) +{ + struct strset *set = d; + + if (value && !strcmp(key, "safe.hook.sha256")) + strset_add(set, value); + + return 0; +} + +static int is_hook_safe_during_clone(const char *name, const char *path, char *sha256) +{ + if (get_sha256_of_file_contents(path, sha256) < 0) + return 0; + + if (!safe_hook_sha256s_initialized) { + safe_hook_sha256s_initialized = 1; + git_protected_config(safe_hook_cb, &safe_hook_sha256s); + } + + return strset_contains(&safe_hook_sha256s, sha256); +} + const char *find_hook(const char *name) { static struct strbuf path = STRBUF_INIT; int found_hook; + char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' }; strbuf_reset(&path); strbuf_git_path(&path, "hooks/%s", name); @@ -65,13 +120,14 @@ const char *find_hook(const char *name) return NULL; } if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) && - !identical_to_template_hook(name, path.buf)) + !identical_to_template_hook(name, path.buf) && + !is_hook_safe_during_clone(name, path.buf, sha256)) die(_("active `%s` hook found during `git clone`:\n\t%s\n" "For security reasons, this is disallowed by default.\n" - "If this is intentional and the hook should actually " - "be run, please\nrun the command again with " - "`GIT_CLONE_PROTECTION_ACTIVE=false`"), - name, path.buf); + "If this is intentional and the hook is safe to run, " + "please run the following command and try again:\n\n" + " git config --global --add safe.hook.sha256 %s"), + name, path.buf, sha256); return path.buf; } diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh index 2ef3579fa7c..0f74c9154d0 100755 --- a/t/t1800-hook.sh +++ b/t/t1800-hook.sh @@ -177,4 +177,19 @@ test_expect_success 'git hook run a hook with a bad shebang' ' test_cmp expect actual ' +test_expect_success '`safe.hook.sha256` and clone protections' ' + git init safe-hook && + write_script safe-hook/.git/hooks/pre-push <<-\EOF && + echo "called hook" >safe-hook.log + EOF + + test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \ + git -C safe-hook hook run pre-push 2>err && + cmd="$(grep "git config --global --add safe.hook.sha256 [0-9a-f]" err)" && + eval "$cmd" && + GIT_CLONE_PROTECTION_ACTIVE=true \ + git -C safe-hook hook run pre-push && + test "called hook" = "$(cat safe-hook/safe-hook.log)" +' + test_done From patchwork Fri May 17 23:15:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667423 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94F361420CA for ; Fri, 17 May 2024 23:16:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987768; cv=none; b=MR0aebhcbkQb8U367nEkKbMj7gkTz2Yu6lEnzXFuwdO9gSxKO8nzMPLzgQ4no1SBriCFuIa6frfrsxbjckqETXboRPd/iPoiolADtis//XvHunbAHlIRmLFgELUBhM9DI1D01tNAC6KGV7pNnpPLfl91czRWRnnkIiIdnMlJMR0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987768; c=relaxed/simple; bh=n7MPB3Yvwj0N0Axbnfuy8N0vscrlDLsglxhBURZJPzM=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=gBsJXUc1H2rKgzwND6lGsA19KMW6mKmSPIduf7Bsr0KUPmfA+Ct8J77XKbHGxqsq4oipPLIE6eaaEVy/m+IXKPX9w6Y4JnNLP2qTdLi05aeaiYBv1739Shg3kJ64bLWYnI5PMBXIsR0gCEtNBYS/muJkI2pXXxzHvPnWa+CVDg0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aTc62NSz; arc=none smtp.client-ip=209.85.221.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aTc62NSz" Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-34db6a29a1eso577062f8f.1 for ; Fri, 17 May 2024 16:16:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987764; x=1716592564; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=koHUvA8eJNO5OQFX3tXjLOzxg5r3bjv9BMWXzC/1gqg=; b=aTc62NSz8Y9oSXm+oxuni6P9xtcZFMYk35ZL/gHGG7fGDL5XBAm0bOIJPZMjs0NBrx sbjzIXtqokCdDjLZ/oLPAGJaXCRdm/7iQx34zKLHz/VZEQHMLSEFtD7vxrYlRuJEvfJM 7e4gl51GBYF3QmHlQmWL5/bCvJMptrhaqRKLz+ReYOA6pbBqklLTpxgycJFj8H6KoKcI hhm07+h0cRWtmK4HhAuTpK8JQxIZ4IXbcw0jH8TsNTNR+MyYwldB+v7hdUBdoAWjpZlD /B7dn2JaVHDy518r577DjLDcXqi7jyfrwGERLc9RHr1PGeF8Z7Jv2HSEgNrmvPyOSfJU 8hpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987764; x=1716592564; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=koHUvA8eJNO5OQFX3tXjLOzxg5r3bjv9BMWXzC/1gqg=; b=cA4xdFk4MB35nhNU529RyQeA4UKUKoF11Wh7z9SZLobmslSHCrrEnqMo7l5lnbrPbu 3jbvtvmFelcMiLDJQXi20Y6+RlFr+cKAQXwVMT9WVZlFQKAMKA8NDXr09wRO7a30qqSi Tg0lVxAYMKr25zh1hfW1WSWwNhhKkLb1oc5ly/hKfpVtZ3LgSVc4Crw+txQBgTP4ME43 aLnXqim3r5iUJkrB2mCmemad8Jd/GQYHJCENztAOe0P55hRbar0dkondA4bsWFPFgNJk UHwSDyz4Zo1tKh/+wfB1EjHvr83HI1NV6jVZrfFNGz3Edw4+WMJJJy1T0NvIPE62m1FA 9bww== X-Gm-Message-State: AOJu0YwdHdIJiSjAqigj/lbi47dYBfDOQnIQnX+EEexexHTDhCK/i8qS /s2AjvsGJBUSYzC+cbENXfm12xaigZ4vxvEvJ4Ys4uJKUOmCQZZkPxosaA== X-Google-Smtp-Source: AGHT+IE49PN48HaFXNHfwndYFr7XHAN6Idznbh/xFfJamMOufRUAySPOmS7Ubt3uSdRWISUmWtGLsw== X-Received: by 2002:adf:ec4d:0:b0:34e:ad5c:cccd with SMTP id ffacd0b85a97d-3504a73bd75mr13948118f8f.31.1715987764195; Fri, 17 May 2024 16:16:04 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-41f87b2648fsm356086765e9.7.2024.05.17.16.16.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:16:03 -0700 (PDT) Message-Id: <98465797e72cf039ace4138ab1e03e4fc7465ea2.1715987756.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Fri, 17 May 2024 23:15:54 +0000 Subject: [PATCH 6/8] hooks(clone protections): special-case current Git LFS hooks Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin A notable regression in v2.45.1 and friends (all the way down to v2.39.4) has been that Git LFS-enabled clones error out with a message indicating that the `post-checkout` hook has been tampered with while cloning, and as a safety measure it is not executed. A generic fix for benign third-party applications wishing to write hooks during clone operations has been implemented in the parent of this commit: said applications are expected to add `safe.hook.sha256` values to a protected config. However, the current version of Git LFS, v3.5.1, cannot be adapted retroactively; Therefore, let's just hard-code the SHA-256 values for this version. That way, Git LFS usage will no longer be broken, and the next Git LFS version can be taught to add those `safe.hook.sha256` entries. Signed-off-by: Johannes Schindelin --- hook.c | 11 +++++++++++ t/t1800-hook.sh | 20 ++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/hook.c b/hook.c index a2479738451..f810ee133be 100644 --- a/hook.c +++ b/hook.c @@ -75,6 +75,17 @@ static int is_hook_safe_during_clone(const char *name, const char *path, char *s if (get_sha256_of_file_contents(path, sha256) < 0) return 0; + /* Hard-code known-safe values for Git LFS v3.4.0..v3.5.1 */ + if ((!strcmp("pre-push", name) && + !strcmp(sha256, "df5417b2daa3aa144c19681d1e997df7ebfe144fb7e3e05138bd80ae998008e4")) || + (!strcmp("post-checkout", name) && + !strcmp(sha256, "791471b4ff472aab844a4fceaa48bbb0a12193616f971e8e940625498b4938a6")) || + (!strcmp("post-commit", name) && + !strcmp(sha256, "21e961572bb3f43a5f2fbafc1cc764d86046cc2e5f0bbecebfe9684a0b73b664")) || + (!strcmp("post-merge", name) && + !strcmp(sha256, "75da0da66a803b4b030ad50801ba57062c6196105eb1d2251590d100edb9390b"))) + return 1; + if (!safe_hook_sha256s_initialized) { safe_hook_sha256s_initialized = 1; git_protected_config(safe_hook_cb, &safe_hook_sha256s); diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh index 0f74c9154d0..af66999aff3 100755 --- a/t/t1800-hook.sh +++ b/t/t1800-hook.sh @@ -192,4 +192,24 @@ test_expect_success '`safe.hook.sha256` and clone protections' ' test "called hook" = "$(cat safe-hook/safe-hook.log)" ' +write_lfs_pre_push_hook () { + write_script "$1" <<-\EOF + command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'pre-push' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; } + git lfs pre-push "$@" + EOF +} + +test_expect_success 'Git LFS special-handling in clone protections' ' + git init lfs-hooks && + write_lfs_pre_push_hook lfs-hooks/.git/hooks/pre-push && + write_script git-lfs <<-\EOF && + echo "called $*" >fake-git-lfs.log + EOF + + PATH="$PWD:$PATH" GIT_CLONE_PROTECTION_ACTIVE=true \ + git -C lfs-hooks hook run pre-push && + test_write_lines "called pre-push" >expect && + test_cmp lfs-hooks/fake-git-lfs.log expect +' + test_done From patchwork Fri May 17 23:15:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667424 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A47B51420D5 for ; Fri, 17 May 2024 23:16:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987769; cv=none; b=HXXi+L3wN6s/tUQ5PTC0vFhT27UhzGOwq18lFJbPhA0nfVSPcnVaFXzLRtjupIRiOc88isCpsttmT+NDk+/EGxL4KZQE+j5nj0cNwbNQwbUZi+8fURwEsc7A9mYSdXOi2Op2tW3zw7jpJNjDi2ZwuZEKAn/TT1yZK1ah1Dz6Teg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987769; c=relaxed/simple; bh=O1Br9oR7h+jhiwHQPu0juGc/lcZpvYjZYSqJoi+1N/c=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=AAMyrHOB9AgJ9sLwIU7NCI293opnY3MwX/ZZo37LoglH4mFx4g0csIu+bfsXbdZLVoQQD0GWJfRlKzrGT7HXRik86ot4Rrk9TEKVYsZaWCSCTu+Xodnwn9jh09zRzcfqCe39a+RlGp5lBuihRDnjOnYM4yGCtdriBqSli1CNj7k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=moaBsUVX; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="moaBsUVX" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-420180b59b7so6257725e9.0 for ; Fri, 17 May 2024 16:16:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987766; x=1716592566; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=QKRO3YSLQIyxL1D33IxyNk3w5n2d7qr70W2WFf2/LSI=; b=moaBsUVXNMR8vCDr4wHSmJCdEO/IG4a7UsjieHh1Tmm4CuTeHi0jriaT3nfm4dGTk+ 2B7MPDyqqRJa9Gyuig/PfDdZmHRqBSvmxxxY9194y3tHA9qqAQPBx4WxIrlVlIBB56eF qFjfJW7kcxT0JvhEkL4bfAIF0d7iX5BLWXOuUbNzKSOr94RHuoTC8xVpwLkw5ULMFhlZ r6LKjGMwAit4699sR/Q0EeAkNl2tBcIwe4UgzuomMgeoRLcmKJsZPzz8CQyVmcVLOvRg 7G4d6ux+RBMXZoVa2hwraI915ftF4x55onaK6/qGgfsBfPXHXbrh5Fj/CDbOhTnKLf9O VGFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987766; x=1716592566; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QKRO3YSLQIyxL1D33IxyNk3w5n2d7qr70W2WFf2/LSI=; b=qScm8ErNFd/7P+3T21dSSAdoomWHuPmNf3KAw6wHyfG6/2v8m0bisfb4UQ/qJcNBIP MgPTk61/QAUDSBucu96aUHhXXQWSCffvGNXj1Wc9K8ZRoIi60XsN1cIeUQB67APah5wL HBMCG69qQUf230aqEx9Jadxug5G1Tg7iXBMvhR2X9BJXn7M+4Lft2JXmwWugxOej2e2G TraUDel3P1Hd5BO647YCJP0zsgwh9v1RzwX/bAzxAsdTDsNsH3hQ/dXVNRQzJaz6uyb0 PAU1SKIP+Nf5hanv5q1S7CwAEs1+cL7dQFZvb99i3gIiRbaK2IABjW23q8N6/+XX3RAX F6Vg== X-Gm-Message-State: AOJu0YwNmZPiSb5AiEDvzyyfhdiQRTyMTTFAmc1wIDEyWfNVGdtxGYQe eV8+UooLWWrRVEfJEgqE6ID5tpAap7VTZsPNkW1I5tIQNxojI2I7VJC/LA== X-Google-Smtp-Source: AGHT+IEbuprB3ur4bBjBm//sCWxnCc9S6AGf7aQvvifhptoD9U5irm1XlzZZfktWVsZjZG9wFndqkA== X-Received: by 2002:a05:600c:3b86:b0:41a:a521:9699 with SMTP id 5b1f17b1804b1-41fea93a0edmr198014595e9.4.1715987765721; Fri, 17 May 2024 16:16:05 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-41f881110f9sm357432965e9.37.2024.05.17.16.16.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:16:04 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Fri, 17 May 2024 23:15:55 +0000 Subject: [PATCH 7/8] hooks(clone protections): simplify templates hooks validation Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin When an active hook is encountered during a clone operation, to protect against Remote Code Execution attack vectors, Git checks whether the hook was copied over from the templates directory. When that logic was introduced, there was no other way to check this than to add a function to compare files. In the meantime, we've added code to compute the SHA-256 checksum of a given hook and compare that checksum against a list of known-safe ones. Let's simplify the logic by adding to said list when copying the templates' hooks. We need to be careful to support multi-process operations such as recursive submodule clones: In such a scenario, the list of SHA-256 checksums that is kept in memory is not enough, we also have to pass the information down to child processes via `GIT_CONFIG_PARAMETERS`. Extend the regression test in t5601 to ensure that recursive clones are handled as expected. Note: Technically there is no way that the checksums computed while initializing the submodules' gitdirs can be passed to the process that performs the checkout: For historical reasons, these operations are performed in processes spawned in separate loops from the super-project's `git clone` process. But since the templates from which the submodules are initialized are the very same as the ones from which the super-project is initialized, we can get away with using the list of SHA-256 checksums that is computed when initializing the super-project and passing that down to the `submodule--helper` processes that perform the recursive checkout. Signed-off-by: Johannes Schindelin --- builtin/init-db.c | 7 +++++++ hook.c | 43 ++++++++++++++++--------------------------- hook.h | 10 ++++++++++ setup.c | 1 + t/t5601-clone.sh | 19 +++++++++++++++++++ 5 files changed, 53 insertions(+), 27 deletions(-) diff --git a/builtin/init-db.c b/builtin/init-db.c index a101e7f94c1..64357fdada4 100644 --- a/builtin/init-db.c +++ b/builtin/init-db.c @@ -10,6 +10,8 @@ #include "exec-cmd.h" #include "parse-options.h" #include "worktree.h" +#include "run-command.h" +#include "hook.h" #ifdef NO_TRUSTABLE_FILEMODE #define TEST_FILEMODE 0 @@ -28,6 +30,7 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path, size_t path_baselen = path->len; size_t template_baselen = template_path->len; struct dirent *de; + int is_hooks_dir = ends_with(template_path->buf, "/hooks/"); /* Note: if ".git/hooks" file exists in the repository being * re-initialized, /etc/core-git/templates/hooks/update would @@ -80,6 +83,10 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path, strbuf_release(&lnk); } else if (S_ISREG(st_template.st_mode)) { + if (is_hooks_dir && + is_executable(template_path->buf)) + add_safe_hook(template_path->buf); + if (copy_file(path->buf, template_path->buf, st_template.st_mode)) die_errno(_("cannot copy '%s' to '%s'"), template_path->buf, path->buf); diff --git a/hook.c b/hook.c index f810ee133be..b69cc691bdf 100644 --- a/hook.c +++ b/hook.c @@ -4,32 +4,6 @@ #include "config.h" #include "strmap.h" -static int identical_to_template_hook(const char *name, const char *path) -{ - const char *env = getenv("GIT_CLONE_TEMPLATE_DIR"); - const char *template_dir = get_template_dir(env && *env ? env : NULL); - struct strbuf template_path = STRBUF_INIT; - int found_template_hook, ret; - - strbuf_addf(&template_path, "%s/hooks/%s", template_dir, name); - found_template_hook = access(template_path.buf, X_OK) >= 0; -#ifdef STRIP_EXTENSION - if (!found_template_hook) { - strbuf_addstr(&template_path, STRIP_EXTENSION); - found_template_hook = access(template_path.buf, X_OK) >= 0; - } -#endif - if (!found_template_hook) { - strbuf_release(&template_path); - return 0; - } - - ret = do_files_match(template_path.buf, path); - - strbuf_release(&template_path); - return ret; -} - static struct strset safe_hook_sha256s = STRSET_INIT; static int safe_hook_sha256s_initialized; @@ -60,6 +34,22 @@ static int get_sha256_of_file_contents(const char *path, char *sha256) return 0; } +void add_safe_hook(const char *path) +{ + char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' }; + + if (!get_sha256_of_file_contents(path, sha256)) { + char *p; + + strset_add(&safe_hook_sha256s, sha256); + + /* support multi-process operations e.g. recursive clones */ + p = xstrfmt("safe.hook.sha256=%s", sha256); + git_config_push_parameter(p); + free(p); + } +} + static int safe_hook_cb(const char *key, const char *value, void *d) { struct strset *set = d; @@ -131,7 +121,6 @@ const char *find_hook(const char *name) return NULL; } if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) && - !identical_to_template_hook(name, path.buf) && !is_hook_safe_during_clone(name, path.buf, sha256)) die(_("active `%s` hook found during `git clone`:\n\t%s\n" "For security reasons, this is disallowed by default.\n" diff --git a/hook.h b/hook.h index 4258b13da0d..e2034ee8b23 100644 --- a/hook.h +++ b/hook.h @@ -82,4 +82,14 @@ int run_hooks(const char *hook_name); * hook. This function behaves like the old run_hook_le() API. */ int run_hooks_l(const char *hook_name, ...); + +/** + * Mark the contents of the provided path as safe to run during a clone + * operation. + * + * This function is mainly used when copying templates to mark the + * just-copied hooks as benign. + */ +void add_safe_hook(const char *path); + #endif diff --git a/setup.c b/setup.c index c3301f5ab82..7f7538c9bf7 100644 --- a/setup.c +++ b/setup.c @@ -7,6 +7,7 @@ #include "promisor-remote.h" #include "quote.h" #include "exec-cmd.h" +#include "hook.h" static int inside_git_dir = -1; static int inside_work_tree = -1; diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 20deca0231b..71eaa3d1e14 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -819,6 +819,25 @@ test_expect_success 'clone with init.templatedir runs hooks' ' git config --unset init.templateDir && ! grep "active .* hook found" err && test_path_is_missing hook-run-local-config/hook.run + ) && + + test_config_global protocol.file.allow always && + git -C tmpl/hooks submodule add "$(pwd)/tmpl/hooks" sub && + test_tick && + git -C tmpl/hooks add .gitmodules sub && + git -C tmpl/hooks commit -m submodule && + + ( + sane_unset GIT_TEMPLATE_DIR && + NO_SET_GIT_TEMPLATE_DIR=t && + export NO_SET_GIT_TEMPLATE_DIR && + + git -c init.templateDir="$(pwd)/tmpl" \ + clone --recurse-submodules \ + tmpl/hooks hook-run-submodule 2>err && + ! grep "active .* hook found" err && + test_path_is_file hook-run-submodule/hook.run && + test_path_is_file hook-run-submodule/sub/hook.run ) ' From patchwork Fri May 17 23:15:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 13667425 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BD271422AC for ; Fri, 17 May 2024 23:16:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987770; cv=none; b=C4RM/4GMO8SLx+P+NeeSCM3816bRSMbd206/2H3/ZJl7r1okvGEJv6RwGtZt8ghT2nndYIqNk4xv482dmFaiP03GplYS+IGAT0McwpyXV4L+BstYUNXzkkyXSKnDeUwdeu+2W8jKsaQb5XZIR8q5rOiFM/ZQ+d9GB4lOEbLxero= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715987770; c=relaxed/simple; bh=ldVou3LjvRyszwlkSq0AhyfPkMxbgdNiKzyu2EBNRqU=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=rW7Ue42zUbxBItL/uKzcmcSszRw5iE82cUj254PkHIYsLUxFVx1TBRSWZvVuQ3fR2d2jhcBPwV37BIvaITdOD4HI5N3FU+jfnNDK4DkayT+2x3fXiYl2au5kshlOk0HnOmwHegg7RHD2YrWSBY/EEl0c3dF/81jO7WRrdQ30TmQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aBzA1/XM; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aBzA1/XM" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-351d79b56cdso504616f8f.1 for ; Fri, 17 May 2024 16:16:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715987767; x=1716592567; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=Zrr1+lMEsbdxBYmZl3ymH80XsSKj7Aucdz/ecD0EJAM=; b=aBzA1/XMtsHsC33i3bUuPH3h1tJNSebMrLPlch5jcT0l6OeEJ+ZpKGXOVvxO3oSei1 DAMoCeckmO6byxv2iAfu8+qAcEvNUq5jJ7M5FYeBeA/xQxcw6pGDNmQB43oxwxOAIBoe AjxCq9Qc2g2SA2gDGJSh/vD1xpRKWXYeUuER/EBnsUaARaHrhy7wkKsR3DnTkj8YmA4z AwUmk+rnDMS0ZtROfxRbndamDCGeCsyXKpM9xXFst5SELNevJaSJRoT0odJxmuHokJnh 6wW2QkOO5swC10a5ReZQP7tyR0X7Nv4bz3ut5MDod9pFd9hPVMod+HPyKW1+ewYtkin4 Robg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715987767; x=1716592567; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zrr1+lMEsbdxBYmZl3ymH80XsSKj7Aucdz/ecD0EJAM=; b=o7D+DRSwn8xZ0ZDt8SltF7F4gl1X2pVHzcvzAJ4tSO3nAZbrZyfJOv+IHDWyh7Gibb oeRn7TVS3mxXTVzwEzleA0Nb8zhf1ypIFYr/INn07AltZN4MUAwQHoE0xwex/hN8xOqF nAZtgndps9uCQz2mgnJi+Rhx8nHZMJ9Pxxog4lbhEs3NtBinfv7/QwW7SxwkjsxivWw8 OZz0m5YKi3YIlLLMykiAbN4FElY/D6fdzsmS+C8fekvUkio/dP9ZncHiVTpWWICnmmle 6G/pQp8w6iwIdpE5QVxn8OdH2z9gahpeupJGfP2DkSlTHkFjyIzu7CQ1k5ymQs3BCF2W 06hA== X-Gm-Message-State: AOJu0Yyv+IFfxzfIvOXNrOefZ8nOLc7f6K4hEpmmtJ47aD6CqNtvtkFv fstEDwzMzqANcD2os9kTMbJjB7WrE9UoYW/PYl5BQQFXquPlvLnuG9hZ5g== X-Google-Smtp-Source: AGHT+IFKRq93BVVoAz7GQ2hWZCDWA2qMzW531e0GT5jVVvjpcJluBi4LUeicFFGx1GLThUEOo9hCZg== X-Received: by 2002:a5d:4fd0:0:b0:34c:9e0b:f24c with SMTP id ffacd0b85a97d-3504a7376acmr15174756f8f.37.1715987766741; Fri, 17 May 2024 16:16:06 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-351d2df8449sm6205395f8f.12.2024.05.17.16.16.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 16:16:06 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Fri, 17 May 2024 23:15:56 +0000 Subject: [PATCH 8/8] Revert "Add a helper function to compare file contents" Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin From: Johannes Schindelin From: Johannes Schindelin Now that during a `git clone`, the hooks' contents are no longer compared to the templates' files', the caller for which the `do_files_match()` function was introduced is gone, and therefore this function can be retired, too. This reverts commit 584de0b4c23 (Add a helper function to compare file contents, 2024-03-30). Signed-off-by: Johannes Schindelin --- cache.h | 14 --------- copy.c | 58 -------------------------------------- t/helper/test-path-utils.c | 10 ------- t/t0060-path-utils.sh | 41 --------------------------- 4 files changed, 123 deletions(-) diff --git a/cache.h b/cache.h index 16b34799bfd..8c5fb1e1ba1 100644 --- a/cache.h +++ b/cache.h @@ -1785,20 +1785,6 @@ int copy_fd(int ifd, int ofd); int copy_file(const char *dst, const char *src, int mode); int copy_file_with_time(const char *dst, const char *src, int mode); -/* - * Compare the file mode and contents of two given files. - * - * If both files are actually symbolic links, the function returns 1 if the link - * targets are identical or 0 if they are not. - * - * If any of the two files cannot be accessed or in case of read failures, this - * function returns 0. - * - * If the file modes and contents are identical, the function returns 1, - * otherwise it returns 0. - */ -int do_files_match(const char *path1, const char *path2); - void write_or_die(int fd, const void *buf, size_t count); void fsync_or_die(int fd, const char *); int fsync_component(enum fsync_component component, int fd); diff --git a/copy.c b/copy.c index 8492f6fc831..4de6a110f09 100644 --- a/copy.c +++ b/copy.c @@ -65,61 +65,3 @@ int copy_file_with_time(const char *dst, const char *src, int mode) return copy_times(dst, src); return status; } - -static int do_symlinks_match(const char *path1, const char *path2) -{ - struct strbuf buf1 = STRBUF_INIT, buf2 = STRBUF_INIT; - int ret = 0; - - if (!strbuf_readlink(&buf1, path1, 0) && - !strbuf_readlink(&buf2, path2, 0)) - ret = !strcmp(buf1.buf, buf2.buf); - - strbuf_release(&buf1); - strbuf_release(&buf2); - return ret; -} - -int do_files_match(const char *path1, const char *path2) -{ - struct stat st1, st2; - int fd1 = -1, fd2 = -1, ret = 1; - char buf1[8192], buf2[8192]; - - if ((fd1 = open_nofollow(path1, O_RDONLY)) < 0 || - fstat(fd1, &st1) || !S_ISREG(st1.st_mode)) { - if (fd1 < 0 && errno == ELOOP) - /* maybe this is a symbolic link? */ - return do_symlinks_match(path1, path2); - ret = 0; - } else if ((fd2 = open_nofollow(path2, O_RDONLY)) < 0 || - fstat(fd2, &st2) || !S_ISREG(st2.st_mode)) { - ret = 0; - } - - if (ret) - /* to match, neither must be executable, or both */ - ret = !(st1.st_mode & 0111) == !(st2.st_mode & 0111); - - if (ret) - ret = st1.st_size == st2.st_size; - - while (ret) { - ssize_t len1 = read_in_full(fd1, buf1, sizeof(buf1)); - ssize_t len2 = read_in_full(fd2, buf2, sizeof(buf2)); - - if (len1 < 0 || len2 < 0 || len1 != len2) - ret = 0; /* read error or different file size */ - else if (!len1) /* len2 is also 0; hit EOF on both */ - break; /* ret is still true */ - else - ret = !memcmp(buf1, buf2, len1); - } - - if (fd1 >= 0) - close(fd1); - if (fd2 >= 0) - close(fd2); - - return ret; -} diff --git a/t/helper/test-path-utils.c b/t/helper/test-path-utils.c index 0e0de218076..f69709d674f 100644 --- a/t/helper/test-path-utils.c +++ b/t/helper/test-path-utils.c @@ -495,16 +495,6 @@ int cmd__path_utils(int argc, const char **argv) return !!res; } - if (argc == 4 && !strcmp(argv[1], "do_files_match")) { - int ret = do_files_match(argv[2], argv[3]); - - if (ret) - printf("equal\n"); - else - printf("different\n"); - return !ret; - } - fprintf(stderr, "%s: unknown function name: %s\n", argv[0], argv[1] ? argv[1] : "(there was none)"); return 1; diff --git a/t/t0060-path-utils.sh b/t/t0060-path-utils.sh index 73d0e1a7f10..68e29c904a6 100755 --- a/t/t0060-path-utils.sh +++ b/t/t0060-path-utils.sh @@ -560,45 +560,4 @@ test_expect_success !VALGRIND,RUNTIME_PREFIX,CAN_EXEC_IN_PWD '%(prefix)/ works' test_cmp expect actual ' -test_expect_success 'do_files_match()' ' - test_seq 0 10 >0-10.txt && - test_seq -1 10 >-1-10.txt && - test_seq 1 10 >1-10.txt && - test_seq 1 9 >1-9.txt && - test_seq 0 8 >0-8.txt && - - test-tool path-utils do_files_match 0-10.txt 0-10.txt >out && - - assert_fails() { - test_must_fail \ - test-tool path-utils do_files_match "$1" "$2" >out && - grep different out - } && - - assert_fails 0-8.txt 1-9.txt && - assert_fails -1-10.txt 0-10.txt && - assert_fails 1-10.txt 1-9.txt && - assert_fails 1-10.txt .git && - assert_fails does-not-exist 1-10.txt && - - if test_have_prereq FILEMODE - then - cp 0-10.txt 0-10.x && - chmod a+x 0-10.x && - assert_fails 0-10.txt 0-10.x - fi && - - if test_have_prereq SYMLINKS - then - ln -sf 0-10.txt symlink && - ln -s 0-10.txt another-symlink && - ln -s over-the-ocean yet-another-symlink && - ln -s "$PWD/0-10.txt" absolute-symlink && - assert_fails 0-10.txt symlink && - test-tool path-utils do_files_match symlink another-symlink && - assert_fails symlink yet-another-symlink && - assert_fails symlink absolute-symlink - fi -' - test_done