Skip to main content

Browse the archive

Revision 9cf85473209ea8ae2b56c13145c4704d12ee1374 authored by Filip Hejsek on 28 January 2024, 04:09:17 UTC, committed by Johannes Schindelin on 17 April 2024, 20:30:01 UTC 
clone: prevent clashing git dirs when cloning submodule in parallel
 
While it is expected to have several git dirs within the `.git/modules/`
tree, it is important that they do not interfere with each other. For
example, if one submodule was called "captain" and another submodule
"captain/hooks", their respective git dirs would clash, as they would be
located in `.git/modules/captain/` and `.git/modules/captain/hooks/`,
respectively, i.e. the latter's files could clash with the actual Git
hooks of the former.

To prevent these clashes, and in particular to prevent hooks from being
written and then executed as part of a recursive clone, we introduced
checks as part of the fix for CVE-2019-1387 in a8dee3ca61 (Disallow
dubiously-nested submodule git directories, 2019-10-01).

It is currently possible to bypass the check for clashing submodule
git dirs in two ways:

1. parallel cloning
2. checkout --recurse-submodules

Let's check not only before, but also after parallel cloning (and before
checking out the submodule), that the git dir is not clashing with
another one, otherwise fail. This addresses the parallel cloning issue.

As to the parallel checkout issue: It requires quite a few manual steps
to create clashing git dirs because Git itself would refuse to
initialize the inner one, as demonstrated by the test case.

Nevertheless, let's teach the recursive checkout (namely, the
`submodule_move_head()` function that is used by the recursive checkout)
to be careful to verify that it does not use a clashing git dir, and if
it does, disable it (by deleting the `HEAD` file so that subsequent Git
calls won't recognize it as a git dir anymore).

Note: The parallel cloning test case contains a `cat err` that proved to
be highly useful when analyzing the racy nature of the operation (the
operation can fail with three different error messages, depending on
timing), and was left on purpose to ease future debugging should the
need arise.

Signed-off-by: Filip Hejsek <filip.hejsek@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
1 parent b20c10f
Raw File
wt-status.h 
#ifndef STATUS_H
#define STATUS_H

#include "string-list.h"
#include "color.h"
#include "pathspec.h"
#include "remote.h"

struct repository;
struct worktree;

enum color_wt_status {
	WT_STATUS_HEADER = 0,
	WT_STATUS_UPDATED,
	WT_STATUS_CHANGED,
	WT_STATUS_UNTRACKED,
	WT_STATUS_NOBRANCH,
	WT_STATUS_UNMERGED,
	WT_STATUS_LOCAL_BRANCH,
	WT_STATUS_REMOTE_BRANCH,
	WT_STATUS_ONBRANCH,
	WT_STATUS_MAXSLOT
};

enum untracked_status_type {
	SHOW_NO_UNTRACKED_FILES,
	SHOW_NORMAL_UNTRACKED_FILES,
	SHOW_ALL_UNTRACKED_FILES
};

enum show_ignored_type {
	SHOW_NO_IGNORED,
	SHOW_TRADITIONAL_IGNORED,
	SHOW_MATCHING_IGNORED,
};

/* from where does this commit originate */
enum commit_whence {
	FROM_COMMIT,     /* normal */
	FROM_MERGE,      /* commit came from merge */
	FROM_CHERRY_PICK_SINGLE, /* commit came from cherry-pick */
	FROM_CHERRY_PICK_MULTI, /* commit came from a sequence of cherry-picks */
	FROM_REBASE_PICK /* commit came from a pick/reword/edit */
};

static inline int is_from_cherry_pick(enum commit_whence whence)
{
	return whence == FROM_CHERRY_PICK_SINGLE ||
		whence == FROM_CHERRY_PICK_MULTI;
}

static inline int is_from_rebase(enum commit_whence whence)
{
	return whence == FROM_REBASE_PICK;
}

struct wt_status_change_data {
	int worktree_status;
	int index_status;
	int stagemask;
	int mode_head, mode_index, mode_worktree;
	struct object_id oid_head, oid_index;
	int rename_status;
	int rename_score;
	char *rename_source;
	unsigned dirty_submodule       : 2;
	unsigned new_submodule_commits : 1;
};

enum wt_status_format {
	STATUS_FORMAT_NONE = 0,
	STATUS_FORMAT_LONG,
	STATUS_FORMAT_SHORT,
	STATUS_FORMAT_PORCELAIN,
	STATUS_FORMAT_PORCELAIN_V2,

	STATUS_FORMAT_UNSPECIFIED
};

#define SPARSE_CHECKOUT_DISABLED -1
#define SPARSE_CHECKOUT_SPARSE_INDEX -2

struct wt_status_state {
	int merge_in_progress;
	int am_in_progress;
	int am_empty_patch;
	int rebase_in_progress;
	int rebase_interactive_in_progress;
	int cherry_pick_in_progress;
	int bisect_in_progress;
	int revert_in_progress;
	int detached_at;
	int sparse_checkout_percentage; /* SPARSE_CHECKOUT_DISABLED if not sparse */
	char *branch;
	char *onto;
	char *detached_from;
	struct object_id detached_oid;
	struct object_id revert_head_oid;
	struct object_id cherry_pick_head_oid;
};

struct wt_status {
	struct repository *repo;
	int is_initial;
	char *branch;
	const char *reference;
	struct pathspec pathspec;
	int verbose;
	int amend;
	enum commit_whence whence;
	int nowarn;
	int use_color;
	int no_gettext;
	int display_comment_prefix;
	int relative_paths;
	int submodule_summary;
	enum show_ignored_type show_ignored_mode;
	enum untracked_status_type show_untracked_files;
	const char *ignore_submodule_arg;
	char color_palette[WT_STATUS_MAXSLOT][COLOR_MAXLEN];
	unsigned colopts;
	int null_termination;
	int commit_template;
	int show_branch;
	int show_stash;
	int hints;
	enum ahead_behind_flags ahead_behind_flags;
	int detect_rename;
	int rename_score;
	int rename_limit;
	enum wt_status_format status_format;
	struct wt_status_state state;
	struct object_id oid_commit; /* when not Initial */

	/* These are computed during processing of the individual sections */
	int committable;
	int workdir_dirty;
	const char *index_file;
	FILE *fp;
	const char *prefix;
	struct string_list change;
	struct string_list untracked;
	struct string_list ignored;
	uint32_t untracked_in_ms;
};

size_t wt_status_locate_end(const char *s, size_t len);
void wt_status_append_cut_line(struct strbuf *buf);
void wt_status_add_cut_line(FILE *fp);
void wt_status_prepare(struct repository *r, struct wt_status *s);
void wt_status_print(struct wt_status *s);
void wt_status_collect(struct wt_status *s);
/*
 * Frees the buffers allocated by wt_status_collect.
 */
void wt_status_collect_free_buffers(struct wt_status *s);
/*
 * Frees the buffers of the wt_status_state.
 */
void wt_status_state_free_buffers(struct wt_status_state *s);
void wt_status_get_state(struct repository *repo,
			 struct wt_status_state *state,
			 int get_detached_from);
int wt_status_check_rebase(const struct worktree *wt,
			   struct wt_status_state *state);
int wt_status_check_bisect(const struct worktree *wt,
			   struct wt_status_state *state);

__attribute__((format (printf, 3, 4)))
void status_printf_ln(struct wt_status *s, const char *color, const char *fmt, ...);
__attribute__((format (printf, 3, 4)))
void status_printf(struct wt_status *s, const char *color, const char *fmt, ...);

/* The following functions expect that the caller took care of reading the index. */
int has_unstaged_changes(struct repository *repo,
			 int ignore_submodules);
int has_uncommitted_changes(struct repository *repo,
			    int ignore_submodules);
int require_clean_work_tree(struct repository *repo,
			    const char *action,
			    const char *hint,
			    int ignore_submodules,
			    int gently);

#endif /* STATUS_H */
back to top