Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=jch 2025-07-01T21:46:37Z 2025-07-01T21:46:37Z Patrick Steinhardt ps@pks.im 2025-07-01T12:22:23Z urn:sha1:fc28a8a856a1e7978794e7dee61c42d7d5740a6b The "--recursive" flag for git-grep(1) allows users to grep for a string across submodule boundaries. To make this work we add each submodule's object sources to our own object database so that the objects can be accessed directly. The infrastructure for this depends on a global string list of submodule paths. The caller is expected to call `add_submodule_odb_by_path()` for each source and the object database will then eventually register all submodule sources via `do_oid_object_info_extended()` in case it isn't able to look up a specific object. This reliance on global state is of course suboptimal with regards to our libification efforts. Refactor the logic so that the list of submodule sources is instead tracked in the object database itself. This allows us to lose the condition of `r == the_repository` before registering submodule sources as we only ever add submodule sources to `the_repository` anyway. As such, behaviour before and after this refactoring should always be the same. Rename the functions accordingly. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2025-02-07T17:59:21Z Patrick Steinhardt ps@pks.im 2025-02-07T11:03:29Z urn:sha1:f9467895d884908d5588fc920997b2e53dfb3302 The `submodule_to_gitdir()` function implicitly uses `the_repository` to resolve submodule paths. Refactor the function to instead accept a repo as parameter to remove the dependency on global state. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-09-27T15:25:34Z Patrick Steinhardt ps@pks.im 2024-09-26T11:46:08Z urn:sha1:2e492f2047748cf70350d503214ef89f1110ee82 We're not freeing the submodule update strategy command. Provide a helper function that does this for us and call it in `update_data_release()`. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2024-04-19T10:38:37Z Johannes Schindelin johannes.schindelin@gmx.de 2024-04-12T07:45:28Z urn:sha1:93a88f42db7ed9a975768df0e5f4516317c50dda * maint-2.39: (38 commits) Git 2.39.4 fsck: warn about symlink pointing inside a gitdir core.hooksPath: add some protection while cloning init.templateDir: consider this config setting protected clone: prevent hooks from running during a clone Add a helper function to compare file contents init: refactor the template directory discovery into its own function find_hook(): refactor the `STRIP_EXTENSION` logic clone: when symbolic links collide with directories, keep the latter entry: report more colliding paths t5510: verify that D/F confusion cannot lead to an RCE submodule: require the submodule path to contain directories only clone_submodule: avoid using `access()` on directories submodules: submodule paths must not contain symlinks clone: prevent clashing git dirs when cloning submodule in parallel t7423: add tests for symlinked submodule directories has_dir_name(): do not get confused by characters < '/' docs: document security issues around untrusted .git dirs upload-pack: disable lazy-fetching by default fetch/clone: detect dubious ownership of local repositories ... 2024-04-17T20:30:04Z Johannes Schindelin johannes.schindelin@gmx.de 2024-03-26T13:37:25Z urn:sha1:e8d0608944486019ea0e1ed2ed29776811a565c2 Submodules are stored in subdirectories of their superproject. When these subdirectories have been replaced with symlinks by a malicious actor, all kinds of mayhem can be caused. This _should_ not be possible, but many CVEs in the past showed that _when_ possible, it allows attackers to slip in code that gets executed during, say, a `git clone --recursive` operation. Let's add some defense-in-depth to disallow submodule paths to have anything except directories in them. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> 2022-12-26T01:21:44Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-12-20T12:39:56Z urn:sha1:4002ec3dcf0f89db46fbdf56549218c573a9c0f2 The "--super-prefix" option to "git" was initially added in [1] for use with "ls-files"[2], and shortly thereafter "submodule--helper"[3] and "grep"[4]. It wasn't until [5] that "read-tree" made use of it. At the time [5] made sense, but since then we've made "ls-files" recurse in-process in [6], "grep" in [7], and finally "submodule--helper" in the preceding commits. Let's also remove it from "read-tree", which allows us to remove the option to "git" itself. We can do this because the only remaining user of it is the submodule API, which will now invoke "read-tree" with its new "--super-prefix" option. It will only do so when the "submodule_move_head()" function is called. That "submodule_move_head()" function was then only invoked by "read-tree" itself, but now rather than setting an environment variable to pass "--super-prefix" between cmd_read_tree() we: - Set a new "super_prefix" in "struct unpack_trees_options". The "super_prefixed()" function in "unpack-trees.c" added in [5] will now use this, rather than get_super_prefix() looking up the environment variable we set earlier in the same process. - Add the same field to the "struct checkout", which is only needed to ferry the "super_prefix" in the "struct unpack_trees_options" all the way down to the "entry.c" callers of "submodule_move_head()". Those calls which used the super prefix all originated in "cmd_read_tree()". The only other caller is the "unlink_entry()" caller in "builtin/checkout.c", which now passes a "NULL". 1. 74866d75793 (git: make super-prefix option, 2016-10-07) 2. e77aa336f11 (ls-files: optionally recurse into submodules, 2016-10-07) 3. 89c86265576 (submodule helper: support super prefix, 2016-12-08) 4. 0281e487fd9 (grep: optionally recurse into submodules, 2016-12-16) 5. 3d415425c7b (unpack-trees: support super-prefix option, 2017-01-17) 6. 188dce131fa (ls-files: use repository object, 2017-06-22) 7. f9ee2fcdfa0 (grep: recurse in-process using 'struct repository', 2017-08-02) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-12-26T01:21:43Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-12-20T12:39:50Z urn:sha1:f0a5e5ad57ae729d9971bdb6bdaa82c1d85bd062 Start passing the "super_prefix" along as a parameter to get_submodule_displaypath() and absorb_git_dir_into_superproject(), rather than get the value directly as a global. This is in preparation for subsequent commits, where we'll gradually phase out get_super_prefix() for an alternative way of getting the "super_prefix". Most of the users of this get a get_super_prefix() value, either directly or by indirection. The exceptions are: - builtin/rm.c: Doesn't declare SUPPORT_SUPER_PREFIX, so we'd have died if this was provided, so it's safe to pass "NULL". - deinit_submodule(): The "deinit_submodule()" function has never been able to use the "git -super-prefix". It will call "absorb_git_dir_into_superproject()", but it will only do so from the top-level project. If "absorbgitdirs" recurses will use the "path" passed to "absorb_git_dir_into_superproject()" in "deinit_submodule()" as its starting "--super-prefix". So we can safely remove the get_super_prefix() call here, and pass NULL instead. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-11-08T19:55:30Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-11-08T14:10:37Z urn:sha1:82ff87789bdd972c9746ec184ae9464e58c8d29b Remove the "----recursive" option to "git submodule--helper absorbgitdirs" (yes, with 4 dashes, not 2). This option and all the "else" when "flags & ABSORB_GITDIR_RECURSE_SUBMODULES" is false has never been used since it was added in f6f85861400 (submodule: add absorb-git-dir function, 2016-12-12), which we'd have had to do as "----recursive", a "--recursive" would have errored out. It would be nice to follow-up with an optbug() assertion to parse-options.c for such funnily named options, I manually validated that this was the only long option whose name started with "-", but let's skip adding such an assertion for now. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-09-02T16:16:24Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2022-08-31T23:18:05Z urn:sha1:b9dd63ffe2842fe676f54d4d5f8f06bc04c6dd8b Change the submodule_strategy_to_string() function added in 3604242f080 (submodule: port init from shell to C, 2016-04-15) to really return a "const char *". In the "SM_UPDATE_COMMAND" case it would return a strbuf_detach(). Furthermore, this function would return NULL on SM_UPDATE_UNSPECIFIED, so it wasn't safe to xstrdup() its return value in the general case, or to use it in a sprintf() format as the code removed in the preceding commit did. But its callers would never call it with either SM_UPDATE_UNSPECIFIED or SM_UPDATE_COMMAND. Let's have its behavior reflect how its only user expects it to behave, and BUG() out on the rest. By doing this we can also stop needlessly xstrdup()-ing and free()-ing the memory for the config we're setting. We can instead always use constant strings. We can also use the *_tmp() variant of git_config_get_string(). Let's also rename this submodule_strategy_to_string() function to submodule_update_type_to_string(). Now that it's only tasked with returning a string version of the "enum submodule_update_type type". Before it would look at the "command" field in "struct submodule_update_strategy". Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Reviewed-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-06-10T22:04:13Z Junio C Hamano gitster@pobox.com 2022-06-10T22:04:13Z urn:sha1:c21fa3bb549a7769f9d508f0a5f95c654539e1f7 Rename .env_array member to .env in the child_process structure. * ab/env-array: run-command API users: use "env" not "env_array" in comments & names run-command API: rename "env_array" to "env"