mirror of
https://github.com/git/git.git
synced 2025-12-12 20:36:24 +01:00
873a466ea3
As part of the security bug-fix releases v2.39.4, ..., v2.45.1, I
introduced logic to safeguard `git clone` from running hooks that were
installed _during_ the clone operation.
The rationale was that Git's CVE-2024-32002, CVE-2021-21300,
CVE-2019-1354, CVE-2019-1353, CVE-2019-1352, and CVE-2019-1349 should
have been low-severity vulnerabilities but were elevated to
critical/high severity by the attack vector that allows a weakness where
files inside `.git/` can be inadvertently written during a `git clone`
to escalate to a Remote Code Execution attack by virtue of installing a
malicious `post-checkout` hook that Git will then run at the end of the
operation without giving the user a chance to see what code is executed.
Unfortunately, Git LFS uses a similar strategy to install its own
`post-checkout` hook during a `git clone`; In fact, Git LFS is
installing four separate hooks while running the `smudge` filter.
While this pattern is probably in want of being improved by introducing
better support in Git for Git LFS and other tools wishing to register
hooks to be run at various stages of Git's commands, let's undo the
clone protections to unbreak Git LFS-enabled clones.
This reverts commit 8db1e8743c (clone: prevent hooks from running
during a clone, 2024-03-28).
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
184 lines
3.8 KiB
C
184 lines
3.8 KiB
C
#include "cache.h"
|
|
#include "hook.h"
|
|
#include "run-command.h"
|
|
#include "config.h"
|
|
|
|
const char *find_hook(const char *name)
|
|
{
|
|
static struct strbuf path = STRBUF_INIT;
|
|
|
|
int found_hook;
|
|
|
|
strbuf_reset(&path);
|
|
strbuf_git_path(&path, "hooks/%s", name);
|
|
found_hook = access(path.buf, X_OK) >= 0;
|
|
#ifdef STRIP_EXTENSION
|
|
if (!found_hook) {
|
|
int err = errno;
|
|
|
|
strbuf_addstr(&path, STRIP_EXTENSION);
|
|
found_hook = access(path.buf, X_OK) >= 0;
|
|
if (!found_hook)
|
|
errno = err;
|
|
}
|
|
#endif
|
|
|
|
if (!found_hook) {
|
|
if (errno == EACCES && advice_enabled(ADVICE_IGNORED_HOOK)) {
|
|
static struct string_list advise_given = STRING_LIST_INIT_DUP;
|
|
|
|
if (!string_list_lookup(&advise_given, name)) {
|
|
string_list_insert(&advise_given, name);
|
|
advise(_("The '%s' hook was ignored because "
|
|
"it's not set as executable.\n"
|
|
"You can disable this warning with "
|
|
"`git config advice.ignoredHook false`."),
|
|
path.buf);
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
return path.buf;
|
|
}
|
|
|
|
int hook_exists(const char *name)
|
|
{
|
|
return !!find_hook(name);
|
|
}
|
|
|
|
static int pick_next_hook(struct child_process *cp,
|
|
struct strbuf *out,
|
|
void *pp_cb,
|
|
void **pp_task_cb)
|
|
{
|
|
struct hook_cb_data *hook_cb = pp_cb;
|
|
const char *hook_path = hook_cb->hook_path;
|
|
|
|
if (!hook_path)
|
|
return 0;
|
|
|
|
cp->no_stdin = 1;
|
|
strvec_pushv(&cp->env, hook_cb->options->env.v);
|
|
cp->stdout_to_stderr = 1;
|
|
cp->trace2_hook_name = hook_cb->hook_name;
|
|
cp->dir = hook_cb->options->dir;
|
|
|
|
strvec_push(&cp->args, hook_path);
|
|
strvec_pushv(&cp->args, hook_cb->options->args.v);
|
|
|
|
/*
|
|
* This pick_next_hook() will be called again, we're only
|
|
* running one hook, so indicate that no more work will be
|
|
* done.
|
|
*/
|
|
hook_cb->hook_path = NULL;
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int notify_start_failure(struct strbuf *out,
|
|
void *pp_cb,
|
|
void *pp_task_cp)
|
|
{
|
|
struct hook_cb_data *hook_cb = pp_cb;
|
|
|
|
hook_cb->rc |= 1;
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int notify_hook_finished(int result,
|
|
struct strbuf *out,
|
|
void *pp_cb,
|
|
void *pp_task_cb)
|
|
{
|
|
struct hook_cb_data *hook_cb = pp_cb;
|
|
struct run_hooks_opt *opt = hook_cb->options;
|
|
|
|
hook_cb->rc |= result;
|
|
|
|
if (opt->invoked_hook)
|
|
*opt->invoked_hook = 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void run_hooks_opt_clear(struct run_hooks_opt *options)
|
|
{
|
|
strvec_clear(&options->env);
|
|
strvec_clear(&options->args);
|
|
}
|
|
|
|
int run_hooks_opt(const char *hook_name, struct run_hooks_opt *options)
|
|
{
|
|
struct strbuf abs_path = STRBUF_INIT;
|
|
struct hook_cb_data cb_data = {
|
|
.rc = 0,
|
|
.hook_name = hook_name,
|
|
.options = options,
|
|
};
|
|
const char *const hook_path = find_hook(hook_name);
|
|
int ret = 0;
|
|
const struct run_process_parallel_opts opts = {
|
|
.tr2_category = "hook",
|
|
.tr2_label = hook_name,
|
|
|
|
.processes = 1,
|
|
.ungroup = 1,
|
|
|
|
.get_next_task = pick_next_hook,
|
|
.start_failure = notify_start_failure,
|
|
.task_finished = notify_hook_finished,
|
|
|
|
.data = &cb_data,
|
|
};
|
|
|
|
if (!options)
|
|
BUG("a struct run_hooks_opt must be provided to run_hooks");
|
|
|
|
if (options->invoked_hook)
|
|
*options->invoked_hook = 0;
|
|
|
|
if (!hook_path && !options->error_if_missing)
|
|
goto cleanup;
|
|
|
|
if (!hook_path) {
|
|
ret = error("cannot find a hook named %s", hook_name);
|
|
goto cleanup;
|
|
}
|
|
|
|
cb_data.hook_path = hook_path;
|
|
if (options->dir) {
|
|
strbuf_add_absolute_path(&abs_path, hook_path);
|
|
cb_data.hook_path = abs_path.buf;
|
|
}
|
|
|
|
run_processes_parallel(&opts);
|
|
ret = cb_data.rc;
|
|
cleanup:
|
|
strbuf_release(&abs_path);
|
|
run_hooks_opt_clear(options);
|
|
return ret;
|
|
}
|
|
|
|
int run_hooks(const char *hook_name)
|
|
{
|
|
struct run_hooks_opt opt = RUN_HOOKS_OPT_INIT;
|
|
|
|
return run_hooks_opt(hook_name, &opt);
|
|
}
|
|
|
|
int run_hooks_l(const char *hook_name, ...)
|
|
{
|
|
struct run_hooks_opt opt = RUN_HOOKS_OPT_INIT;
|
|
va_list ap;
|
|
const char *arg;
|
|
|
|
va_start(ap, hook_name);
|
|
while ((arg = va_arg(ap, const char *)))
|
|
strvec_push(&opt.args, arg);
|
|
va_end(ap);
|
|
|
|
return run_hooks_opt(hook_name, &opt);
|
|
}
|