Andrew's git / gitweb.git / diff
?
Merge branch 'jk/quarantine-received-objects'
authorJunio C Hamano <gitster@pobox.com>
Mon, 24 Apr 2017 05:07:51 +0000 (22:07 -0700)
committerJunio C Hamano <gitster@pobox.com>
Mon, 24 Apr 2017 05:07:52 +0000 (22:07 -0700)
Add finishing touches to a recent topic.

* jk/quarantine-received-objects:
refs: reject ref updates while GIT_QUARANTINE_PATH is set
receive-pack: document user-visible quarantine effects
receive-pack: drop tmp_objdir_env from run_update_hook

Documentation/git-receive-pack.txt patch | blob | history
Documentation/githooks.txt patch | blob | history
builtin/receive-pack.c patch | blob | history
refs.c patch | blob | history
t/t5547-push-quarantine.sh patch | blob | history
diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt
index 0ccd5fbc781deb3adcca4d28ec8a4ed0d9db9977..86a4b32f0f1cbb8b69ff8b935edade6f14e7d5e2 100644 (file)
--- a/Documentation/git-receive-pack.txt
+++ b/Documentation/git-receive-pack.txt
@@ -114,6 +114,8 @@ will be performed, and the update, post-receive and post-update
 hooks will not be invoked either.  This can be useful to quickly
 bail out if the update is not to be supported.
 
+See the notes on the quarantine environment below.
+
 update Hook
 -----------
 Before each ref is updated, if $GIT_DIR/hooks/update file exists
@@ -214,6 +216,33 @@ if the repository is packed and is served via a dumb transport.
        exec git update-server-info
 
 
+Quarantine Environment
+----------------------
+
+When `receive-pack` takes in objects, they are placed into a temporary
+"quarantine" directory within the `$GIT_DIR/objects` directory and
+migrated into the main object store only after the `pre-receive` hook
+has completed. If the push fails before then, the temporary directory is
+removed entirely.
+
+This has a few user-visible effects and caveats:
+
+  1. Pushes which fail due to problems with the incoming pack, missing
+     objects, or due to the `pre-receive` hook will not leave any
+     on-disk data. This is usually helpful to prevent repeated failed
+     pushes from filling up your disk, but can make debugging more
+     challenging.
+
+  2. Any objects created by the `pre-receive` hook will be created in
+     the quarantine directory (and migrated only if it succeeds).
+
+  3. The `pre-receive` hook MUST NOT update any refs to point to
+     quarantined objects. Other programs accessing the repository will
+     not be able to see the objects (and if the pre-receive hook fails,
+     those refs would become corrupted). For safety, any ref updates
+     from within `pre-receive` are automatically rejected.
+
+
 SEE ALSO
 --------
 linkgit:git-send-pack[1], linkgit:gitnamespaces[7]
diff --git a/Documentation/githooks.txt b/Documentation/githooks.txt
index 9565dc3fda47d7c8a7290132c347b5a6f0d2422e..32343ae295e7c94a70f67e9abca542f22d992102 100644 (file)
--- a/Documentation/githooks.txt
+++ b/Documentation/githooks.txt
@@ -256,6 +256,9 @@ environment variables will not be set. If the client selects
 to use push options, but doesn't transmit any, the count variable
 will be set to zero, `GIT_PUSH_OPTION_COUNT=0`.
 
+See the section on "Quarantine Environment" in
+linkgit:git-receive-pack[1] for some caveats.
+
 [[update]]
 update
 ~~~~~~
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 3cba3fd278fb05f86ec2e23483261d22bc4c04cd..7f484e7f6b41be0555babb54ba8853d0bf1e4269 100644 (file)
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -772,7 +772,6 @@ static int run_update_hook(struct command *cmd)
        proc.stdout_to_stderr = 1;
        proc.err = use_sideband ? -1 : 0;
        proc.argv = argv;
-       proc.env = tmp_objdir_env(tmp_objdir);
 
        code = start_command(&proc);
        if (code)
diff --git a/refs.c b/refs.c
index d1e1b4399b36746dedaabb38de2332481267ea48..a3d5f42e37345096628ab83fee629f22df1bb7b5 100644 (file)
--- a/refs.c
+++ b/refs.c
@@ -1643,6 +1643,12 @@ int ref_transaction_commit(struct ref_transaction *transaction,
 {
        struct ref_store *refs = transaction->ref_store;
 
+       if (getenv(GIT_QUARANTINE_ENVIRONMENT)) {
+               strbuf_addstr(err,
+                             _("ref updates forbidden inside quarantine environment"));
+               return -1;
+       }
+
        return refs->be->transaction_commit(refs, transaction, err);
 }
 
diff --git a/t/t5547-push-quarantine.sh b/t/t5547-push-quarantine.sh
index af9fcd833a5e9e4997dd5cb917ac13f4b07f10ab..113c87007f31abced0d93b3702f0b54f50ff4679 100755 (executable)
--- a/t/t5547-push-quarantine.sh
+++ b/t/t5547-push-quarantine.sh
@@ -58,4 +58,15 @@ test_expect_success 'push to repo path with path separator (colon)' '
        git push "$(pwd)/xxx${pathsep}yyy.git" HEAD
 '
 
+test_expect_success 'updating a ref from quarantine is forbidden' '
+       git init --bare update.git &&
+       write_script update.git/hooks/pre-receive <<-\EOF &&
+       read old new refname
+       git update-ref refs/heads/unrelated $new
+       exit 1
+       EOF
+       test_must_fail git push update.git HEAD &&
+       git -C update.git fsck
+'
+
 test_done