From 95d9d4b30cd5a7eece51a3d6b26023bb5da3378e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:11 +0000 Subject: [PATCH 01/10] receive.fsck. tests: remove dead code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove the setting of a receive.fsck.badDate config variable to "ignore". This was added in efaba7cc77 ("fsck: optionally ignore specific fsck issues completely", 2015-06-22) but never did anything, presumably it was part of some work-in-progress code that never made it into git.git. None of these tests will emit the "invalid author/committer line - bad date" warning. The dates on the commit objects we're setting up are not invalid. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- t/t5504-fetch-receive-strict.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/t/t5504-fetch-receive-strict.sh b/t/t5504-fetch-receive-strict.sh index 49d3621a92..e1f8768094 100755 --- a/t/t5504-fetch-receive-strict.sh +++ b/t/t5504-fetch-receive-strict.sh @@ -149,8 +149,6 @@ test_expect_success 'push with receive.fsck.missingEmail=warn' ' git --git-dir=dst/.git branch -D bogus && git --git-dir=dst/.git config --add \ receive.fsck.missingEmail ignore && - git --git-dir=dst/.git config --add \ - receive.fsck.badDate warn && git push --porcelain dst bogus >act 2>&1 && ! grep "missingEmail" act ' From 5180dd2e9ffb46eb02ee24439f2cd24a534d2954 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:12 +0000 Subject: [PATCH 02/10] config doc: don't describe *.fetchObjects twice MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refer readers of fetch.fsckObjects and receive.fsckObjects to transfer.fsckObjects instead of repeating the description at each location. I don't think this description of them makes much sense, but for now I'm just moving the existing documentation around. Making it better will be done in a later patch. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/config.txt | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index 43b2de7b5f..6b99cf8d71 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1463,10 +1463,9 @@ fetch.recurseSubmodules:: fetch.fsckObjects:: If it is set to true, git-fetch-pack will check all fetched - objects. It will abort in the case of a malformed object or a - broken link. The result of an abort are only dangling objects. - Defaults to false. If not set, the value of `transfer.fsckObjects` - is used instead. + objects. See `transfer.fsckObjects` for what's + checked. Defaults to false. If not set, the value of + `transfer.fsckObjects` is used instead. fetch.unpackLimit:: If the number of objects fetched over the Git native @@ -2889,10 +2888,9 @@ receive.certNonceSlop:: receive.fsckObjects:: If it is set to true, git-receive-pack will check all received - objects. It will abort in the case of a malformed object or a - broken link. The result of an abort are only dangling objects. - Defaults to false. If not set, the value of `transfer.fsckObjects` - is used instead. + objects. See `transfer.fsckObjects` for what's checked. + Defaults to false. If not set, the value of + `transfer.fsckObjects` is used instead. receive.fsck.:: When `receive.fsckObjects` is set to true, errors can be switched @@ -3389,6 +3387,10 @@ transfer.fsckObjects:: When `fetch.fsckObjects` or `receive.fsckObjects` are not set, the value of this variable is used instead. Defaults to false. ++ +When set, the fetch or receive will abort in the case of a malformed +object or a broken link. The result of an abort are only dangling +objects. transfer.hideRefs:: String(s) `receive-pack` and `upload-pack` use to decide which From b2558abdc471758ae8b30c1198e833a7a1c6616c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:13 +0000 Subject: [PATCH 03/10] config doc: unify the description of fsck.* and receive.fsck.* MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The documentation for the fsck. and receive.fsck. variables was mostly duplicated in two places, with fsck. making no mention of the corresponding receive.fsck., and the same for fsck.skipList. I spent quite a lot of time today wondering why setting the fsck. variant wasn't working to clone a legacy repository (not that that would have worked anyway, but a subsequent patch implements fetch.fsck.). Rectify this situation by describing the feature in general terms under the fsck.* documentation, and make the receive.fsck.* documentation refer to those variables instead. This documentation was initially added in 2becf00ff7 ("fsck: support demoting errors to warnings", 2015-06-22) and 4b55b9b479 ("fsck: document the new receive.fsck. options", 2015-06-22). Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/config.txt | 58 +++++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index 6b99cf8d71..8d08250a5b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1595,15 +1595,30 @@ filter..smudge:: linkgit:gitattributes[5] for details. fsck.:: - Allows overriding the message type (error, warn or ignore) of a - specific message ID such as `missingEmail`. + During fsck git may find issues with legacy data which + wouldn't be generated by current versions of git, and which + wouldn't be sent over the wire if `transfer.fsckObjects` was + set. This feature is intended to support working with legacy + repositories containing such data. + -For convenience, fsck prefixes the error/warning with the message ID, -e.g. "missingEmail: invalid author/committer line - missing email" means -that setting `fsck.missingEmail = ignore` will hide that issue. +Setting `fsck.` will be picked up by linkgit:git-fsck[1], but +to accept pushes of such data set `receive.fsck.` instead. + -This feature is intended to support working with legacy repositories -which cannot be repaired without disruptive changes. +The rest of the documentation discusses `fsck.*` for brevity, but the +same applies for the corresponding `receive.fsck.*` variables. ++ +When `fsck.` is set, errors can be switched to warnings and +vice versa by configuring the `fsck.` setting where the +`` is the fsck message ID and the value is one of `error`, +`warn` or `ignore`. For convenience, fsck prefixes the error/warning +with the message ID, e.g. "missingEmail: invalid author/committer line +- missing email" means that setting `fsck.missingEmail = ignore` will +hide that issue. ++ +In general, it is better to enumerate existing objects with problems +with `fsck.skipList`, instead of listing the kind of breakages these +problematic objects share to be ignored, as doing the latter will +allow new instances of the same breakages go unnoticed. fsck.skipList:: The path to a sorted list of object names (i.e. one SHA-1 per @@ -1612,6 +1627,9 @@ fsck.skipList:: should be accepted despite early commits containing errors that can be safely ignored such as invalid committer email addresses. Note: corrupt objects cannot be skipped with this setting. ++ +Like `fsck.` this variable has a corresponding +`receive.fsck.skipList` variant. gc.aggressiveDepth:: The depth parameter used in the delta compression @@ -2893,26 +2911,16 @@ receive.fsckObjects:: `transfer.fsckObjects` is used instead. receive.fsck.:: - When `receive.fsckObjects` is set to true, errors can be switched - to warnings and vice versa by configuring the `receive.fsck.` - setting where the `` is the fsck message ID and the value - is one of `error`, `warn` or `ignore`. For convenience, fsck prefixes - the error/warning with the message ID, e.g. "missingEmail: invalid - author/committer line - missing email" means that setting - `receive.fsck.missingEmail = ignore` will hide that issue. -+ -This feature is intended to support working with legacy repositories -which would not pass pushing when `receive.fsckObjects = true`, allowing -the host to accept repositories with certain known issues but still catch -other issues. + Acts like `fsck.`, but is used by + linkgit:git-receive-pack[1] instead of + linkgit:git-fsck[1]. See the `fsck.` documentation for + details. receive.fsck.skipList:: - The path to a sorted list of object names (i.e. one SHA-1 per - line) that are known to be broken in a non-fatal way and should - be ignored. This feature is useful when an established project - should be accepted despite early commits containing errors that - can be safely ignored such as invalid committer email addresses. - Note: corrupt objects cannot be skipped with this setting. + Acts like `fsck.skipList`, but is used by + linkgit:git-receive-pack[1] instead of + linkgit:git-fsck[1]. See the `fsck.skipList` documentation for + details. receive.keepAlive:: After receiving the pack from the client, `receive-pack` may From 456bab87b2e5e698f1024df7a79a76627b4bdb32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:14 +0000 Subject: [PATCH 04/10] config doc: elaborate on what transfer.fsckObjects does MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The existing documentation led the user to believe that all we were doing were basic reachability sanity checks, but that hasn't been true for a very long time. Update the description to match reality, and note the caveat that there's a quarantine for accepting pushes, but not for fetching. Also mention that the fsck checks for security issues, which was my initial motivation for writing this fetch.fsck.* series. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/config.txt | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index 8d08250a5b..291b4f3c57 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -3397,8 +3397,17 @@ transfer.fsckObjects:: Defaults to false. + When set, the fetch or receive will abort in the case of a malformed -object or a broken link. The result of an abort are only dangling -objects. +object or a link to a nonexistent object. In addition, various other +issues are checked for, including legacy issues (see `fsck.`), +and potential security issues like the existence of a `.GIT` directory +or a malicious `.gitmodules` file (see the release notes for v2.2.1 +and v2.17.1 for details). Other sanity and security checks may be +added in future releases. ++ +On the receiving side, failing fsckObjects will make those objects +unreachable, see "QUARANTINE ENVIRONMENT" in +linkgit:git-receive-pack[1]. On the fetch side, malformed objects will +instead be left unreferenced in the repository. transfer.hideRefs:: String(s) `receive-pack` and `upload-pack` use to decide which From 720dae5a19074e404224c9051152d7c64ba2acf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:15 +0000 Subject: [PATCH 05/10] config doc: elaborate on fetch.fsckObjects security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change the transfer.fsckObjects documentation to explicitly note the unique security and/or corruption issues fetch.fsckObjects suffers from, since it doesn't have a quarantine environment. This was already alluded to in the existing documentation, but let's spell it out so there's no confusion here, and give a concrete example of how to work around this limitation. Let's also prominently note that this is considered to be a limitation of the current implementation, rather than something that's intended and by design, since we might change this in the future. See https://public-inbox.org/git/20180531060259.GE17344@sigill.intra.peff.net/ for further details. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/config.txt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 291b4f3c57..7ff453c53b 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -3408,6 +3408,27 @@ On the receiving side, failing fsckObjects will make those objects unreachable, see "QUARANTINE ENVIRONMENT" in linkgit:git-receive-pack[1]. On the fetch side, malformed objects will instead be left unreferenced in the repository. ++ +Due to the non-quarantine nature of the `fetch.fsckObjects` +implementation it can not be relied upon to leave the object store +clean like `receive.fsckObjects` can. ++ +As objects are unpacked they're written to the object store, so there +can be cases where malicious objects get introduced even though the +"fetch" failed, only to have a subsequent "fetch" succeed because only +new incoming objects are checked, not those that have already been +written to the object store. That difference in behavior should not be +relied upon. In the future, such objects may be quarantined for +"fetch" as well. ++ +For now, the paranoid need to find some way to emulate the quarantine +environment if they'd like the same protection as "push". E.g. in the +case of an internal mirror do the mirroring in two steps, one to fetch +the untrusted objects, and then do a second "push" (which will use the +quarantine) to another internal repo, and have internal clients +consume this pushed-to repository, or embargo internal fetches and +only allow them once a full "fsck" has run (and no new fetches have +happened in the meantime). transfer.hideRefs:: String(s) `receive-pack` and `upload-pack` use to decide which From 8b55b9db23962c5623f724d9ec857226dab9631a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:16 +0000 Subject: [PATCH 06/10] transfer.fsckObjects tests: untangle confusing setup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The tests for transfer.fsckObjects have grown organically over time to not make much sense. Initially when these were added in b10a53583f ("test: fetch/receive with fsckobjects", 2011-09-04) they were only testing the "corrupt or missing object" case, but later on in 70a4ae73d8 ("fsck: add a simple test for receive.fsck.", 2015-06-22) they were expanded to check for the fsck. feature. The problem was that we still kept the same corrupt test repo, making it harder to add new tests that check the entirety of the repository between operations via "git fsck" to see whether only known issues that can be ignored with fsck. have occurred. The tests only did the right thing because such a full "git fsck" was never done after a certain point, and instead we were only manipulating specific refs. This makes it harder to add new tests, and none of the fsck. tests relied on this. So let's not confuse the two and repair the corrupt repository before we run the fsck. tests. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- t/t5504-fetch-receive-strict.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/t/t5504-fetch-receive-strict.sh b/t/t5504-fetch-receive-strict.sh index e1f8768094..57ff78c201 100755 --- a/t/t5504-fetch-receive-strict.sh +++ b/t/t5504-fetch-receive-strict.sh @@ -3,13 +3,16 @@ test_description='fetch/receive strict mode' . ./test-lib.sh -test_expect_success setup ' +test_expect_success 'setup and inject "corrupt or missing" object' ' echo hello >greetings && git add greetings && git commit -m greetings && S=$(git rev-parse :greetings | sed -e "s|^..|&/|") && X=$(echo bye | git hash-object -w --stdin | sed -e "s|^..|&/|") && + echo $S >S && + echo $X >X && + cp .git/objects/$S .git/objects/$S.back && mv -f .git/objects/$X .git/objects/$S && test_must_fail git fsck @@ -115,6 +118,13 @@ test_expect_success 'push with transfer.fsckobjects' ' test_cmp exp act ' +test_expect_success 'repair the "corrupt or missing" object' ' + mv -f .git/objects/$(cat S) .git/objects/$(cat X) && + mv .git/objects/$(cat S).back .git/objects/$(cat S) && + rm -rf .git/objects/$(cat X) && + git fsck +' + cat >bogus-commit < Date: Fri, 27 Jul 2018 14:37:17 +0000 Subject: [PATCH 07/10] fetch: implement fetch.fsck.* MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implement support for fetch.fsck.* corresponding with the existing receive.fsck.*. This allows for pedantically cloning repositories with specific issues without turning off fetch.fsckObjects. One such repository is https://github.com/robbyrussell/oh-my-zsh.git which before this change will emit this error when cloned with fetch.fsckObjects: error: object 2b7227859263b6aabcc28355b0b994995b7148b6: zeroPaddedFilemode: contains zero-padded file modes fatal: Error in object fatal: index-pack failed Now with fetch.fsck.zeroPaddedFilemode=warn we'll warn about that issue, but the clone will succeed: warning: object 2b7227859263b6aabcc28355b0b994995b7148b6: zeroPaddedFilemode: contains zero-padded file modes warning: object a18c4d13c2a5fa2d4ecd5346c50e119b999b807d: zeroPaddedFilemode: contains zero-padded file modes warning: object 84df066176c8da3fd59b13731a86d90f4f1e5c9d: zeroPaddedFilemode: contains zero-padded file modes The motivation for this is to be able to turn on fetch.fsckObjects globally across a fleet of computers but still be able to manually clone various legacy repositories by either white-listing specific issues, or better yet whitelist specific objects. The use of --git-dir=* instead of -C in the tests could be considered somewhat archaic, but the tests I'm adding here are duplicating the corresponding receive.* tests with as few changes as possible. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/config.txt | 20 +++++++++++--- fetch-pack.c | 32 +++++++++++++++++++++-- t/t5504-fetch-receive-strict.sh | 46 +++++++++++++++++++++++++++++++++ 3 files changed, 92 insertions(+), 6 deletions(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index 7ff453c53b..8dace49daa 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1467,6 +1467,16 @@ fetch.fsckObjects:: checked. Defaults to false. If not set, the value of `transfer.fsckObjects` is used instead. +fetch.fsck.:: + Acts like `fsck.`, but is used by + linkgit:git-fetch-pack[1] instead of linkgit:git-fsck[1]. See + the `fsck.` documentation for details. + +fetch.fsck.skipList:: + Acts like `fsck.skipList`, but is used by + linkgit:git-fetch-pack[1] instead of linkgit:git-fsck[1]. See + the `fsck.skipList` documentation for details. + fetch.unpackLimit:: If the number of objects fetched over the Git native transfer is below this @@ -1602,10 +1612,12 @@ fsck.:: repositories containing such data. + Setting `fsck.` will be picked up by linkgit:git-fsck[1], but -to accept pushes of such data set `receive.fsck.` instead. +to accept pushes of such data set `receive.fsck.` instead, or +to clone or fetch it set `fetch.fsck.`. + The rest of the documentation discusses `fsck.*` for brevity, but the -same applies for the corresponding `receive.fsck.*` variables. +same applies for the corresponding `receive.fsck.*` and +`fetch..*`. variables. + When `fsck.` is set, errors can be switched to warnings and vice versa by configuring the `fsck.` setting where the @@ -1628,8 +1640,8 @@ fsck.skipList:: can be safely ignored such as invalid committer email addresses. Note: corrupt objects cannot be skipped with this setting. + -Like `fsck.` this variable has a corresponding -`receive.fsck.skipList` variant. +Like `fsck.` this variable has corresponding +`receive.fsck.skipList` and `fetch.fsck.skipList` variants. gc.aggressiveDepth:: The depth parameter used in the delta compression diff --git a/fetch-pack.c b/fetch-pack.c index 7ccb9c0d45..aea2f6cf26 100644 --- a/fetch-pack.c +++ b/fetch-pack.c @@ -21,6 +21,7 @@ #include "packfile.h" #include "object-store.h" #include "connected.h" +#include "fsck.h" static int transfer_unpack_limit = -1; static int fetch_unpack_limit = -1; @@ -35,6 +36,7 @@ static int agent_supported; static int server_supports_filtering; static struct lock_file shallow_lock; static const char *alternate_shallow_file; +static struct strbuf fsck_msg_types = STRBUF_INIT; /* Remember to update object flag allocation in object.h */ #define COMPLETE (1U << 0) @@ -937,7 +939,8 @@ static int get_pack(struct fetch_pack_args *args, */ argv_array_push(&cmd.args, "--fsck-objects"); else - argv_array_push(&cmd.args, "--strict"); + argv_array_pushf(&cmd.args, "--strict%s", + fsck_msg_types.buf); } cmd.in = demux.out; @@ -1458,6 +1461,31 @@ static struct ref *do_fetch_pack_v2(struct fetch_pack_args *args, return ref; } +static int fetch_pack_config_cb(const char *var, const char *value, void *cb) +{ + if (strcmp(var, "fetch.fsck.skiplist") == 0) { + const char *path; + + if (git_config_pathname(&path, var, value)) + return 1; + strbuf_addf(&fsck_msg_types, "%cskiplist=%s", + fsck_msg_types.len ? ',' : '=', path); + free((char *)path); + return 0; + } + + if (skip_prefix(var, "fetch.fsck.", &var)) { + if (is_valid_msg_type(var, value)) + strbuf_addf(&fsck_msg_types, "%c%s=%s", + fsck_msg_types.len ? ',' : '=', var, value); + else + warning("Skipping unknown msg id '%s'", var); + return 0; + } + + return git_default_config(var, value, cb); +} + static void fetch_pack_config(void) { git_config_get_int("fetch.unpacklimit", &fetch_unpack_limit); @@ -1466,7 +1494,7 @@ static void fetch_pack_config(void) git_config_get_bool("fetch.fsckobjects", &fetch_fsck_objects); git_config_get_bool("transfer.fsckobjects", &transfer_fsck_objects); - git_config(git_default_config, NULL); + git_config(fetch_pack_config_cb, NULL); } static void fetch_pack_setup(void) diff --git a/t/t5504-fetch-receive-strict.sh b/t/t5504-fetch-receive-strict.sh index 57ff78c201..004bfebe98 100755 --- a/t/t5504-fetch-receive-strict.sh +++ b/t/t5504-fetch-receive-strict.sh @@ -145,6 +145,20 @@ test_expect_success 'push with receive.fsck.skipList' ' git push --porcelain dst bogus ' +test_expect_success 'fetch with fetch.fsck.skipList' ' + commit="$(git hash-object -t commit -w --stdin dst/.git/SKIP && + git --git-dir=dst/.git fetch "file://$(pwd)" $refspec +' + + test_expect_success 'push with receive.fsck.missingEmail=warn' ' commit="$(git hash-object -t commit -w --stdin act 2>&1 && + grep "missingEmail" act && + rm -rf dst && + git init dst && + git --git-dir=dst/.git config fetch.fsckobjects true && + git --git-dir=dst/.git config \ + fetch.fsck.missingEmail ignore && + git --git-dir=dst/.git fetch "file://$(pwd)" $refspec >act 2>&1 && + ! grep "missingEmail" act +' + test_expect_success \ 'receive.fsck.unterminatedHeader=warn triggers error' ' rm -rf dst && @@ -174,4 +209,15 @@ test_expect_success \ grep "Cannot demote unterminatedheader" act ' +test_expect_success \ + 'fetch.fsck.unterminatedHeader=warn triggers error' ' + rm -rf dst && + git init dst && + git --git-dir=dst/.git config fetch.fsckobjects true && + git --git-dir=dst/.git config \ + fetch.fsck.unterminatedheader warn && + test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" HEAD && + grep "Cannot demote unterminatedheader" act +' + test_done From d786da1cd9c43b6747c78811a4b6ab2028dfaf50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:18 +0000 Subject: [PATCH 08/10] fsck: test & document {fetch,receive}.fsck.* config fallback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Test and document that the {fetch,receive}.fsck.* family of variables doesn't fall back on the corresponding .fsck.* variables. This was alluded to in the existing documentation by saying that "receive" looks at receive.fsck.* and "fsck" looks at fsck.* etc., but it wasn't explicitly stated that there was no fallback, and if you'd e.g. like to configure the skipList you need to do that for all three. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/config.txt | 12 ++++++++++++ t/t5504-fetch-receive-strict.sh | 26 ++++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index 8dace49daa..57c463c6e2 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1619,6 +1619,12 @@ The rest of the documentation discusses `fsck.*` for brevity, but the same applies for the corresponding `receive.fsck.*` and `fetch..*`. variables. + +Unlike variables like `color.ui` and `core.editor` the +`receive.fsck.` and `fetch.fsck.` variables will not +fall back on the `fsck.` configuration if they aren't set. To +uniformly configure the same fsck settings in different circumstances +all three of them they must all set to the same values. ++ When `fsck.` is set, errors can be switched to warnings and vice versa by configuring the `fsck.` setting where the `` is the fsck message ID and the value is one of `error`, @@ -1642,6 +1648,12 @@ fsck.skipList:: + Like `fsck.` this variable has corresponding `receive.fsck.skipList` and `fetch.fsck.skipList` variants. ++ +Unlike variables like `color.ui` and `core.editor` the +`receive.fsck.skipList` and `fetch.fsck.skipList` variables will not +fall back on the `fsck.skipList` configuration if they aren't set. To +uniformly configure the same fsck settings in different circumstances +all three of them they must all set to the same values. gc.aggressiveDepth:: The depth parameter used in the delta compression diff --git a/t/t5504-fetch-receive-strict.sh b/t/t5504-fetch-receive-strict.sh index 004bfebe98..771a94b4b6 100755 --- a/t/t5504-fetch-receive-strict.sh +++ b/t/t5504-fetch-receive-strict.sh @@ -140,8 +140,13 @@ test_expect_success 'push with receive.fsck.skipList' ' git init dst && git --git-dir=dst/.git config receive.fsckObjects true && test_must_fail git push --porcelain dst bogus && - git --git-dir=dst/.git config receive.fsck.skipList SKIP && echo $commit >dst/.git/SKIP && + + # receive.fsck.* does not fall back on fsck.* + git --git-dir=dst/.git config fsck.skipList SKIP && + test_must_fail git push --porcelain dst bogus && + + git --git-dir=dst/.git config receive.fsck.skipList SKIP && git push --porcelain dst bogus ' @@ -153,8 +158,15 @@ test_expect_success 'fetch with fetch.fsck.skipList' ' git init dst && git --git-dir=dst/.git config fetch.fsckObjects true && test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && - git --git-dir=dst/.git config fetch.fsck.skipList dst/.git/SKIP && + git --git-dir=dst/.git config fetch.fsck.skipList /dev/null && + test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && echo $commit >dst/.git/SKIP && + + # fetch.fsck.* does not fall back on fsck.* + git --git-dir=dst/.git config fsck.skipList dst/.git/SKIP && + test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && + + git --git-dir=dst/.git config fetch.fsck.skipList dst/.git/SKIP && git --git-dir=dst/.git fetch "file://$(pwd)" $refspec ' @@ -166,6 +178,11 @@ test_expect_success 'push with receive.fsck.missingEmail=warn' ' git init dst && git --git-dir=dst/.git config receive.fsckobjects true && test_must_fail git push --porcelain dst bogus && + + # receive.fsck. does not fall back on fsck. + git --git-dir=dst/.git config fsck.missingEmail warn && + test_must_fail git push --porcelain dst bogus && + git --git-dir=dst/.git config \ receive.fsck.missingEmail warn && git push --porcelain dst bogus >act 2>&1 && @@ -185,6 +202,11 @@ test_expect_success 'fetch with fetch.fsck.missingEmail=warn' ' git init dst && git --git-dir=dst/.git config fetch.fsckobjects true && test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && + + # fetch.fsck. does not fall back on fsck. + git --git-dir=dst/.git config fsck.missingEmail warn && + test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && + git --git-dir=dst/.git config \ fetch.fsck.missingEmail warn && git --git-dir=dst/.git fetch "file://$(pwd)" $refspec >act 2>&1 && From 65a836fa6bf9e9cf604e22855e744af61e708664 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:19 +0000 Subject: [PATCH 09/10] fsck: add stress tests for fsck.skipList MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Stress test the parsing logic shared by fsck.skipList and {fetch,receive}.fsck.skipList added in cd94c6f91e ("fsck: git receive-pack: support excluding objects from fsck'ing", 2015-06-22). There were no tests for the work done by the init_skiplist() routine, e.g. how it dies on invalid input. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- t/t5504-fetch-receive-strict.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/t/t5504-fetch-receive-strict.sh b/t/t5504-fetch-receive-strict.sh index 771a94b4b6..7f06b537d3 100755 --- a/t/t5504-fetch-receive-strict.sh +++ b/t/t5504-fetch-receive-strict.sh @@ -133,6 +133,14 @@ committer Bugs Bunny 1234567890 +0000 This commit object intentionally broken EOF +test_expect_success 'fsck with invalid or bogus skipList input' ' + git -c fsck.skipList=/dev/null -c fsck.missingEmail=ignore fsck && + test_must_fail git -c fsck.skipList=does-not-exist -c fsck.missingEmail=ignore fsck 2>err && + test_i18ngrep "Could not open skip list: does-not-exist" err && + test_must_fail git -c fsck.skipList=.git/config -c fsck.missingEmail=ignore fsck 2>err && + test_i18ngrep "Invalid SHA-1: \[core\]" err +' + test_expect_success 'push with receive.fsck.skipList' ' commit="$(git hash-object -t commit -w --stdin err && + test_i18ngrep "Could not open skip list: does-not-exist" err && + git --git-dir=dst/.git config receive.fsck.skipList config && + test_must_fail git push --porcelain dst bogus 2>err && + test_i18ngrep "Invalid SHA-1: \[core\]" err && + git --git-dir=dst/.git config receive.fsck.skipList SKIP && git push --porcelain dst bogus ' @@ -166,6 +184,16 @@ test_expect_success 'fetch with fetch.fsck.skipList' ' git --git-dir=dst/.git config fsck.skipList dst/.git/SKIP && test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && + # Invalid and/or bogus skipList input + git --git-dir=dst/.git config fetch.fsck.skipList /dev/null && + test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && + git --git-dir=dst/.git config fetch.fsck.skipList does-not-exist && + test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec 2>err && + test_i18ngrep "Could not open skip list: does-not-exist" err && + git --git-dir=dst/.git config fetch.fsck.skipList dst/.git/config && + test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec 2>err && + test_i18ngrep "Invalid SHA-1: \[core\]" err && + git --git-dir=dst/.git config fetch.fsck.skipList dst/.git/SKIP && git --git-dir=dst/.git fetch "file://$(pwd)" $refspec ' From 8a6d0525b74fe07bde0436e4cbf87b23adf7df0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?= Date: Fri, 27 Jul 2018 14:37:20 +0000 Subject: [PATCH 10/10] fsck: test and document unknown fsck. values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When fsck. is set to an unknown value it'll cause "fsck" to die, but the same is not true of the "fetch" and "receive" variants. Document this and test for it. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/config.txt | 4 ++++ t/t5504-fetch-receive-strict.sh | 14 ++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index 57c463c6e2..4cead6119a 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1637,6 +1637,10 @@ In general, it is better to enumerate existing objects with problems with `fsck.skipList`, instead of listing the kind of breakages these problematic objects share to be ignored, as doing the latter will allow new instances of the same breakages go unnoticed. ++ +Setting an unknown `fsck.` value will cause fsck to die, but +doing the same for `receive.fsck.` and `fetch.fsck.` +will only cause git to warn. fsck.skipList:: The path to a sorted list of object names (i.e. one SHA-1 per diff --git a/t/t5504-fetch-receive-strict.sh b/t/t5504-fetch-receive-strict.sh index 7f06b537d3..62f3569891 100755 --- a/t/t5504-fetch-receive-strict.sh +++ b/t/t5504-fetch-receive-strict.sh @@ -198,6 +198,10 @@ test_expect_success 'fetch with fetch.fsck.skipList' ' git --git-dir=dst/.git fetch "file://$(pwd)" $refspec ' +test_expect_success 'fsck. dies' ' + test_must_fail git -c fsck.whatEver=ignore fsck 2>err && + test_i18ngrep "Unhandled message id: whatever" err +' test_expect_success 'push with receive.fsck.missingEmail=warn' ' commit="$(git hash-object -t commit -w --stdin warns + git --git-dir=dst/.git config \ + receive.fsck.whatEver error && + git --git-dir=dst/.git config \ receive.fsck.missingEmail warn && git push --porcelain dst bogus >act 2>&1 && grep "missingEmail" act && + test_i18ngrep "Skipping unknown msg id.*whatever" act && git --git-dir=dst/.git branch -D bogus && git --git-dir=dst/.git config --add \ receive.fsck.missingEmail ignore && @@ -235,10 +244,15 @@ test_expect_success 'fetch with fetch.fsck.missingEmail=warn' ' git --git-dir=dst/.git config fsck.missingEmail warn && test_must_fail git --git-dir=dst/.git fetch "file://$(pwd)" $refspec && + # receive.fsck. warns + git --git-dir=dst/.git config \ + fetch.fsck.whatEver error && + git --git-dir=dst/.git config \ fetch.fsck.missingEmail warn && git --git-dir=dst/.git fetch "file://$(pwd)" $refspec >act 2>&1 && grep "missingEmail" act && + test_i18ngrep "Skipping unknown msg id.*whatever" act && rm -rf dst && git init dst && git --git-dir=dst/.git config fetch.fsckobjects true &&