tests: access bare repositories explicitly#2076
Open
dscho wants to merge 17 commits intogitgitgadget:masterfrom
Open
tests: access bare repositories explicitly#2076dscho wants to merge 17 commits intogitgitgadget:masterfrom
dscho wants to merge 17 commits intogitgitgadget:masterfrom
Conversation
8d1a744 (setup.c: create `safe.bareRepository`, 2022-07-14) introduced a setting to restrict implicit bare repository discovery, mitigating a social-engineering attack where an embedded bare repo's hooks get executed unknowingly. To allow for that default to change at some stage in the future, the tests need to be prepared. This commit adjusts a test accordingly that runs `git aliasedinit` from inside a bare repo to verify that aliased commands work there. The test is about alias resolution, not bare repo discovery, so add `test_config_global safe.bareRepository all` to opt in explicitly. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a744), replace `cd <dir> && git config` with `git --git-dir=<dir> config` so the helper does not rely on implicit bare repository discovery. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
The bare repo tests in t0003-attributes.sh currently `cd` into the bare repository inside subshells, relying on implicit discovery. Restructure these tests to pass `--git-dir=bare.git` to the `attr_check` and `attr_check_source` helpers instead. This makes the code much easier to read, and also makes bare repo access explicit, i.e. compatible with an eventual `safe.bareRepository=explicit` default. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
The `git -C c/a.git --work-tree=../a` invocations in t0056-git-C.sh enter what is technically the `.git` directory of a repository to test `-C` combined with `--work-tree`. In doing so, the code relies on implicit discovery of bare repositories, which 8d1a744 (setup.c: create `safe.bareRepository`, 2022-07-14) prepared to be prevented by default. These tests verify the interaction between those flags, so changing them to use `--git-dir` would defeat their purpose. So let's just temporarily force-enable implicit discovery of bare repositories, no matter what `safe.bareRepository` defaults to. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Replace an unnecessarily complex subshell pattern with a much simpler `--git-dir`-based one. The latter is not only simpler, it also no longer relies on implicit bare repo discovery, which would fail with `safe.bareRepository=explicit`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a744), add an optional 6th parameter `repo_flag` (defaulting to `-C`) to the `test_repo_info` helper, and use it in the caller that wants to operate on a bare repository. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a744), specify the gitdir specifically in bare-repo `git worktree add` invocations via `--git-dir=.` so Git does not rely on implicit bare repository discovery. While at it, also avoid unnecessary subshells and `cd`ing. This simplifies the logic in a rather pleasant way. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a744), the test case t2406.10(repair .git file from bare.git) cannot rely on the implicit discovery of thee bare repository. Simply add a `--git-dir=.` to the invocation. The `-C bare.git` argument is still needed so that the `repair` command realizes works on the intended directory. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
The test case "fetch specific OID with tag following" creates a bare repository and wants to operate on it by changing the working directory and relying on Git's implicit discovery of the bare repository. Once the `safe.bareRepository` default is changed, this is no longer an option. So let's adjust the commands to specify the bare repository explicitly, via `--git-dir`, and avoid changing the working directory. As a bonus, the result is arguably more readable than the original code. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a744), export `GIT_DIR=.` right after `git init --bare &&` so subsequent commands access the bare repo explicitly. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
After switching from `-C pushee` to `--git-dir=pushee` as part of the `safe.bareRepository` preparation, `ext::` URLs that used `.` (resolved relative to the `-C` target) must spell out the directory name explicitly. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
In the `test_http_push_nonff` function both of these test scripts call, there were two Git invocations that assume that bare repositories will always be discovered when the current working directory is inside one. This is unlikely to be true forever because at some stage, the `safe.bareRepository` config is prone to be modified to be safe by default. So let's be safe and specify the bare repository explicitly. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a744), wrap the `test_commit_bulk` call in `(GIT_DIR="$REPO" && export GIT_DIR && test_commit_bulk ...)` because `test_commit_bulk -C` relies on implicit discovery which would fail once the default changes. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
To prepare for `safe.bareRepository` defaulting to `explicit` (see 8d1a744), adjust a loop that iterated over both a bare (`cloned`) and a non-bare (`unbundled`) repository using the same `-C` flag: the bare repo needs `--git-dir` to avoid implicit discovery, while the non-bare one keeps `-C`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
This test expects `scalar register` to discover a bare repo and reject it. Since `scalar` does not support `--git-dir` (that option would not make sense in the context of that command), pass `-c safe.bareRepository=all` to opt into implicit discovery of bare repositories, so the test keeps working once the default changes to `explicit`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Currently, the "alternate bare repo" test case relies on Git discovering non-bare and bare repositories alike. However, the automatic discovery of bare repository represents a weakness that leaves Git users vulnerable. To that end, the `safe.bareRepository` config was introduced, but out of backwards-compatibility concerns, the default is not yet secure. To prepare for that default to switch to the secure one, where bare repositories are never discovered automatically but instead must be specified explicitly, let's do exactly that in this test case: specify it explicitly, via setting the environment variable `GIT_DIR`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
When `safe.bareRepository` will change to be safe by default, bare repositories won't be discovered by default anymore. To prepare for this, `git p4` must be explicit about the gitdir when cloning into a bare repository, and no longer rely on that implicit discovery. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
dscho
force-pushed
the
tests-explicit-bare-repo
branch
from
55f8d81 to
c8e5bef
Compare
Member
Author
|
/submit |
|
Submitted as pull.2076.git.1775140403.gitgitgadget@gmail.com To fetch this version into To fetch this version to local tag |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
safe.bareRepositoryconfiguration variable (introduced in8d1a744) allows restricting implicit bare repository discovery.
Its default may well change to "explicit" in Git v3.0, at which point
any test that relies on implicit discovery of a bare repository would
break, even if the test subject has nothing to do with bare
repositories.
This series adjusts 16 test scripts and git-p4 so that they access
bare repositories explicitly. The techniques used are:
git -C <bare-repo> ...withgit --git-dir=<bare-repo> ...GIT_DIR=.aftercd-ing into a bare repository(GIT_DIR=<path> && export GIT_DIR && ...)test_config_global safe.bareRepository allin the few testswhere implicit discovery is genuinely part of what is being tested
Each commit is a self-contained fix to one test file (or a small
related group).
This patch series is part of #2072.