Web lists-archives.com

[PATCH v2 0/7] harden unexpected object types checks




Hi everyone,

Here is 'v2' of mine and Peff's series to add tests for and fix some
cases when object connections are malformed in various ways.

There aren't many major changes from the initial version, but what has
changed is described briefly here, and in complete detail in the
range-diff at the bottom of this message:

  - [2/7] was amended with Peff's suggestion to be a little clearer about
    what 'lone' and 'seen' mean

  - [2/7] was changed to replace all instances of:

      git cat-file ... | sed -e ... >broken-obj

    with:

      git cat-file ... >good-obj &&
      sed -e ... <good-obj >broken-obj

  - [4/7] was cleaned up to include the right test after a faulty
    rebase.

Thanks as always for your review :-).


Thanks,
Taylor

Jeff King (3):
  get_commit_tree(): return NULL for broken tree
  rev-list: let traversal die when --missing is not in use
  rev-list: detect broken root trees

Taylor Blau (4):
  t: move 'hex2oct' into test-lib-functions.sh
  t: introduce tests for unexpected object types
  list-objects.c: handle unexpected non-blob entries
  list-objects.c: handle unexpected non-tree entries

 builtin/rev-list.c                     |   4 +-
 commit.c                               |   6 +-
 list-objects.c                         |  13 +++
 t/t1007-hash-object.sh                 |   4 -
 t/t1450-fsck.sh                        |   4 -
 t/t5601-clone.sh                       |   4 -
 t/t6102-rev-list-unexpected-objects.sh | 127 +++++++++++++++++++++++++
 t/test-lib-functions.sh                |   6 ++
 8 files changed, 152 insertions(+), 16 deletions(-)
 create mode 100755 t/t6102-rev-list-unexpected-objects.sh

Range-diff against v1:
1:  2104508e42 = 1:  f09c374557 t: move 'hex2oct' into test-lib-functions.sh
2:  909cbcd4a1 ! 2:  137e2df24d t: introduce tests for unexpected object types
    @@ -20,21 +20,19 @@
         cases that are not broken (i.e., they have NULL-ness checks or similar),
         mark these as expecting success.

    -    Let A be the object referenced with an unexpected type, and B be the
    -    object doing the referencing. Do the following:
    -
    -      - test 'git rev-list --objects A B'. This causes A to be "cached", and
    -        presents the above scenario.
    -
    -    Likewise, if we have a tree entry that claims to be a tree (for example)
    -    but points to another object type (say, a blob), there are two ways we
    -    might find out:
    +    We might hit an unexpected type in two different ways (imagine we have a
    +    tree entry that claims to be a tree but actually points to a blob):

           - when we call lookup_tree(), we might find that we've already seen
    -        the object referenced as another type, in which case we'd get NULL
    +        the object referenced as a blob, in which case we'd get NULL. We
    +        can exercise this with "git rev-list --objects $blob $tree", which
    +        guarantees that the blob will have been parsed before we look in
    +        the tree. These tests are marked as "seen" in the test script.

           - we call lookup_tree() successfully, but when we try to read the
    -        object, we find out it's something else.
    +        object, we find out it's something else. We construct our tests
    +        such that $blob is not otherwise mentioned in $tree. These tests
    +        are marked as "lone" in the script.

         We should check that we behave sensibly in both cases (especially
         because it is easy for a malicious actor to provoke one case or the
    @@ -58,7 +56,8 @@
     +test_expect_success 'setup well-formed objects' '
     +	blob="$(printf "foo" | git hash-object -w --stdin)" &&
     +	tree="$(printf "100644 blob $blob\tfoo" | git mktree)" &&
    -+	commit="$(git commit-tree $tree -m "first commit")"
    ++	commit="$(git commit-tree $tree -m "first commit")" &&
    ++	git cat-file commit $commit >good-commit
     +'
     +
     +test_expect_success 'setup unexpected non-blob entry' '
    @@ -84,12 +83,11 @@
     +'
     +
     +test_expect_failure 'traverse unexpected non-tree entry (seen)' '
    -+	test_must_fail git rev-list --objects $blob $broken_tree >output 2>&1
    ++	test_must_fail git rev-list --objects $blob $broken_tree
     +'
     +
     +test_expect_success 'setup unexpected non-commit parent' '
    -+	git cat-file commit $commit |
    -+		perl -lpe "/^author/ && print q(parent $blob)" \
    ++	sed "/^author/ { h; s/.*/parent $blob/; G; }" <good-commit \
     +		>broken-commit &&
     +	broken_commit="$(git hash-object -w --literally -t commit \
     +		broken-commit)"
    @@ -107,8 +105,7 @@
     +'
     +
     +test_expect_success 'setup unexpected non-tree root' '
    -+	git cat-file commit $commit |
    -+	sed -e "s/$tree/$blob/" >broken-commit &&
    ++	sed -e "s/$tree/$blob/" <good-commit >broken-commit &&
     +	broken_commit="$(git hash-object -w --literally -t commit \
     +		broken-commit)"
     +'
    @@ -123,8 +120,9 @@
     +
     +test_expect_success 'setup unexpected non-commit tag' '
     +	git tag -a -m "tagged commit" tag $commit &&
    ++	git cat-file tag tag >good-tag &&
     +	test_when_finished "git tag -d tag" &&
    -+	git cat-file -p tag | sed -e "s/$commit/$blob/" >broken-tag &&
    ++	sed -e "s/$commit/$blob/" <good-tag >broken-tag &&
     +	tag=$(git hash-object -w --literally -t tag broken-tag)
     +'
     +
    @@ -139,9 +137,9 @@
     +
     +test_expect_success 'setup unexpected non-tree tag' '
     +	git tag -a -m "tagged tree" tag $tree &&
    ++	git cat-file tag tag >good-tag &&
     +	test_when_finished "git tag -d tag" &&
    -+	git cat-file -p tag |
    -+	sed -e "s/$tree/$blob/" >broken-tag &&
    ++	sed -e "s/$tree/$blob/" <good-tag >broken-tag &&
     +	tag=$(git hash-object -w --literally -t tag broken-tag)
     +'
     +
    @@ -156,9 +154,9 @@
     +
     +test_expect_success 'setup unexpected non-blob tag' '
     +	git tag -a -m "tagged blob" tag $blob &&
    ++	git cat-file tag tag >good-tag &&
     +	test_when_finished "git tag -d tag" &&
    -+	git cat-file -p tag |
    -+	sed -e "s/$blob/$commit/" >broken-tag &&
    ++	sed -e "s/$blob/$commit/" <good-tag >broken-tag &&
     +	tag=$(git hash-object -w --literally -t tag broken-tag)
     +'
     +
3:  42f1b5d5fd = 3:  1d1ac9b7a7 list-objects.c: handle unexpected non-blob entries
4:  62c9a6f2e0 ! 4:  97c7e23ec9 list-objects.c: handle unexpected non-tree entries
    @@ -31,7 +31,7 @@
      '

     -test_expect_failure 'traverse unexpected non-tree entry (seen)' '
    --	test_must_fail git rev-list --objects $blob $broken_tree >output 2>&1
    +-	test_must_fail git rev-list --objects $blob $broken_tree
     +test_expect_success 'traverse unexpected non-tree entry (seen)' '
     +	test_must_fail git rev-list --objects $blob $broken_tree >output 2>&1 &&
     +	test_i18ngrep "is not a tree" output
5:  d0ae70542d = 5:  e9400a9f77 get_commit_tree(): return NULL for broken tree
6:  a0c23c8c16 = 6:  88ca5dfe68 rev-list: let traversal die when --missing is not in use
7:  2a25796147 = 7:  e0bd479e82 rev-list: detect broken root trees
--
2.21.0.203.g358da99528