From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Emily Shaffer <emilyshaffer@google.com>
Cc: git@vger.kernel.org, "Jeff King" <peff@peff.net>,
"Junio C Hamano" <gitster@pobox.com>,
"James Ramsay" <james@jramsay.com.au>,
"Jonathan Nieder" <jrnieder@gmail.com>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Phillip Wood" <phillip.wood123@gmail.com>,
"Josh Steadmon" <steadmon@google.com>
Subject: Re: [PATCH] doc: propose hooks managed by the config
Date: Sat, 25 Apr 2020 20:57:27 +0000 [thread overview]
Message-ID: <20200425205727.GB6421@camp.crustytoothpaste.net> (raw)
In-Reply-To: <20200420235310.94493-1-emilyshaffer@google.com>
[-- Attachment #1: Type: text/plain, Size: 4591 bytes --]
On 2020-04-20 at 23:53:10, Emily Shaffer wrote:
> +=== Config schema
> +
> +Hooks can be introduced by editing the configuration manually. There are two new
> +sections added, `hook` and `hookcmd`.
> +
> +==== `hook`
> +
> +Primarily contains subsections for each hook event. These subsections define
> +hook command execution order; hook commands can be specified by passing the
> +command directly if no additional configuration is needed, or by passing the
> +name of a `hookcmd`. If Git does not find a `hookcmd` whose subsection matches
> +the value of the given command string, Git will try to execute the string
> +directly. Hook event subsections can also contain per-hook-event settings.
Can we say explicitly that the commands are invoked by the shell? Or is
the plan to try to parse them without passing to the shell?
> +Also contains top-level hook execution settings, for example,
> +`hook.warnHookDir`, `hook.runHookDir`, or `hook.disableAll`.
> +
> +----
> +[hook "pre-commit"]
> + command = perl-linter
> + command = /usr/bin/git-secrets --pre-commit
> +
> +[hook "pre-applypatch"]
> + command = perl-linter
> + error = ignore
> +
> +[hook]
> + warnHookDir = true
> + runHookDir = prompt
> +----
> +
> +==== `hookcmd`
> +
> +Defines a hook command and its attributes, which will be used when a hook event
> +occurs. Unqualified attributes are assumed to apply to this hook during all hook
> +events, but event-specific attributes can also be supplied. The example runs
> +`/usr/bin/lint-it --language=perl <args passed by Git>`, but for repos which
> +include this config, the hook command will be skipped for all events to which
> +it's normally subscribed _except_ `pre-commit`.
> +
> +----
> +[hookcmd "perl-linter"]
> + command = /usr/bin/lint-it --language=perl
> + skip = true
> + pre-commit-skip = false
> +----
This seems fine to me. I like this design and it seems sane.
> +== Implementation
> +
> +=== Library
> +
> +`hook.c` and `hook.h` are responsible for interacting with the config files. In
> +the case when the code generating a hook event doesn't have special concerns
> +about how to run the hooks, the hook library will provide a basic API to call
> +all hooks in config order with an `argv_array` provided by the code which
> +generates the hook event:
> +
> +*`int run_hooks(const char *hookname, struct argv_array *args)`*
> +
> +This call includes the hook command provided by `run-command.h:find_hook()`;
> +eventually, this legacy hook will be gated by a config `hook.runHookDir`. The
> +config is checked against a number of cases:
> +
> +- "no": the legacy hook will not be run
> +- "interactive": Git will prompt the user before running the legacy hook
> +- "warn": Git will print a warning to stderr before running the legacy hook
> +- "yes" (default): Git will silently run the legacy hook
> +
> +If `hook.runHookDir` is provided more than once, Git will use the most
> +restrictive setting provided, for security reasons.
I don't think this is consistent with the way the rest of our options
work. What if someone generally wants to disable legacy hooks but then
works with a program in a repository that requires them?
> +== Caveats
> +
> +=== Security and repo config
> +
> +Part of the motivation behind this refactor is to mitigate hooks as an attack
> +vector;footnote:[https://lore.kernel.org/git/20171002234517.GV19555@aiede.mtv.corp.google.com/]
> +however, as the design stands, users can still provide hooks in the repo-level
> +config, which is included when a repo is zipped and sent elsewhere. The
> +security of the repo-level config is still under discussion; this design
> +generally assumes the repo-level config is secure, which is not true yet. The
> +goal is to avoid an overcomplicated design to work around a problem which has
> +ceased to exist.
I want to be clear that I'm very much opposed to trying to "secure" the
config as a whole. I believe that it's going to ultimately lead to a
variety of new and interesting attack vectors and will lead to Git
becoming a CVE factory. Vim has this problem with modelines, for
example.
I think we should maintain the status quo that the only safe things you
can do with an untrusted repository are clone and fetch because it sets
a clear security boundary.
Having said that, I'm otherwise pretty happy with this design and I'm
looking forward to seeing it implemented.
--
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
next prev parent reply other threads:[~2020-04-25 20:57 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-12 3:55 Notes from Git Contributor Summit, Los Angeles (April 5, 2020) James Ramsay
2020-03-12 3:56 ` [TOPIC 1/17] Reftable James Ramsay
2020-03-12 3:56 ` [TOPIC 2/17] Hooks in the future James Ramsay
2020-03-12 14:16 ` Emily Shaffer
2020-03-13 17:56 ` Junio C Hamano
2020-04-07 23:01 ` Emily Shaffer
2020-04-07 23:51 ` Emily Shaffer
2020-04-08 0:40 ` Junio C Hamano
2020-04-08 1:09 ` Emily Shaffer
2020-04-10 21:31 ` Jeff King
2020-04-13 19:15 ` Emily Shaffer
2020-04-13 21:52 ` Jeff King
2020-04-14 0:54 ` [RFC PATCH v2 0/2] configuration-based hook management (was: [TOPIC 2/17] Hooks in the future) Emily Shaffer
2020-04-14 0:54 ` [RFC PATCH v2 1/2] hook: scaffolding for git-hook subcommand Emily Shaffer
2020-04-14 0:54 ` [RFC PATCH v2 2/2] hook: add --list mode Emily Shaffer
2020-04-14 15:15 ` [RFC PATCH v2 0/2] configuration-based hook management Phillip Wood
2020-04-14 19:24 ` Emily Shaffer
2020-04-14 20:27 ` Jeff King
2020-04-15 10:01 ` Phillip Wood
2020-04-14 20:03 ` Josh Steadmon
2020-04-15 10:08 ` Phillip Wood
2020-04-14 20:32 ` Jeff King
2020-04-15 10:01 ` Phillip Wood
2020-04-15 14:51 ` Junio C Hamano
2020-04-15 20:30 ` Emily Shaffer
2020-04-15 22:19 ` Junio C Hamano
2020-04-15 3:45 ` [TOPIC 2/17] Hooks in the future Jonathan Nieder
2020-04-15 20:59 ` Emily Shaffer
2020-04-20 23:53 ` [PATCH] doc: propose hooks managed by the config Emily Shaffer
2020-04-21 0:22 ` Emily Shaffer
2020-04-21 1:20 ` Junio C Hamano
2020-04-24 23:14 ` Emily Shaffer
2020-04-25 20:57 ` brian m. carlson [this message]
2020-05-06 21:33 ` Emily Shaffer
2020-05-06 23:13 ` brian m. carlson
2020-05-19 20:10 ` Emily Shaffer
2020-04-15 22:42 ` [TOPIC 2/17] Hooks in the future Jeff King
2020-04-15 22:48 ` Emily Shaffer
2020-04-15 22:57 ` Jeff King
2020-03-12 3:57 ` [TOPIC 3/17] Obliterate James Ramsay
2020-03-12 18:06 ` Konstantin Ryabitsev
2020-03-15 22:19 ` Damien Robert
2020-03-16 12:55 ` Konstantin Tokarev
2020-03-26 22:27 ` Damien Robert
2020-03-16 16:32 ` Elijah Newren
2020-03-26 22:30 ` Damien Robert
2020-03-16 18:32 ` Phillip Susi
2020-03-26 22:37 ` Damien Robert
2020-03-16 20:01 ` Philip Oakley
2020-05-16 2:21 ` nbelakovski
2020-03-12 3:58 ` [TOPIC 4/17] Sparse checkout James Ramsay
2020-03-12 4:00 ` [TOPIC 5/17] Partial Clone James Ramsay
2020-03-17 7:38 ` Allowing only blob filtering was: " Christian Couder
2020-03-17 20:39 ` [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices Taylor Blau
2020-03-17 20:39 ` [RFC PATCH 1/2] list_objects_filter_options: introduce 'list_object_filter_config_name' Taylor Blau
2020-03-17 20:53 ` Eric Sunshine
2020-03-18 10:03 ` Jeff King
2020-03-18 19:40 ` Junio C Hamano
2020-03-18 22:38 ` Eric Sunshine
2020-03-19 17:15 ` Jeff King
2020-03-18 21:05 ` Taylor Blau
2020-03-17 20:39 ` [RFC PATCH 2/2] upload-pack.c: allow banning certain object filter(s) Taylor Blau
2020-03-17 21:11 ` Eric Sunshine
2020-03-18 21:18 ` Taylor Blau
2020-03-18 11:18 ` Philip Oakley
2020-03-18 21:20 ` Taylor Blau
2020-03-18 10:18 ` [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices Jeff King
2020-03-18 18:26 ` Re*: " Junio C Hamano
2020-03-19 17:03 ` Jeff King
2020-03-18 21:28 ` Taylor Blau
2020-03-18 22:41 ` Junio C Hamano
2020-03-19 17:10 ` Jeff King
2020-03-19 17:09 ` Jeff King
2020-04-17 9:41 ` Christian Couder
2020-04-17 17:40 ` Taylor Blau
2020-04-17 18:06 ` Jeff King
2020-04-21 12:34 ` Christian Couder
2020-04-22 20:41 ` Taylor Blau
2020-04-22 20:42 ` Taylor Blau
2020-04-21 12:17 ` Christian Couder
2020-03-12 4:01 ` [TOPIC 6/17] GC strategies James Ramsay
2020-03-12 4:02 ` [TOPIC 7/17] Background operations/maintenance James Ramsay
2020-03-12 4:03 ` [TOPIC 8/17] Push performance James Ramsay
2020-03-12 4:04 ` [TOPIC 9/17] Obsolescence markers and evolve James Ramsay
2020-05-09 21:31 ` Noam Soloveichik
2020-05-15 22:26 ` Jeff King
2020-03-12 4:05 ` [TOPIC 10/17] Expel ‘git shell’? James Ramsay
2020-03-12 4:07 ` [TOPIC 11/17] GPL enforcement James Ramsay
2020-03-12 4:08 ` [TOPIC 12/17] Test harness improvements James Ramsay
2020-03-12 4:09 ` [TOPIC 13/17] Cross implementation test suite James Ramsay
2020-03-12 4:11 ` [TOPIC 14/17] Aspects of merge-ort: cool, or crimes against humanity? James Ramsay
2020-03-12 4:13 ` [TOPIC 15/17] Reachability checks James Ramsay
2020-03-12 4:14 ` [TOPIC 16/17] “I want a reviewer” James Ramsay
2020-03-12 13:31 ` Emily Shaffer
2020-03-12 17:31 ` Konstantin Ryabitsev
2020-03-12 17:42 ` Jonathan Nieder
2020-03-12 18:00 ` Konstantin Ryabitsev
2020-03-17 0:43 ` Philippe Blain
2020-03-13 21:25 ` Eric Wong
2020-03-14 17:27 ` Jeff King
2020-03-15 0:36 ` inbox indexing wishlist [was: [TOPIC 16/17] “I want a reviewer”] Eric Wong
2020-03-12 4:16 ` [TOPIC 17/17] Security James Ramsay
2020-03-12 14:38 ` Notes from Git Contributor Summit, Los Angeles (April 5, 2020) Derrick Stolee
2020-03-13 20:47 ` Jeff King
2020-03-15 18:42 ` Jakub Narebski
2020-03-16 19:31 ` Jeff King
-- strict thread matches above, loose matches on Subject: below --
2019-12-10 2:33 [PATCH 0/6] configuration-based hook management Emily Shaffer
2019-12-10 2:33 ` [PATCH 1/6] hook: scaffolding for git-hook subcommand Emily Shaffer
2019-12-12 9:41 ` Bert Wesarg
2019-12-12 10:47 ` SZEDER Gábor
2019-12-10 2:33 ` [PATCH 2/6] config: add string mapping for enum config_scope Emily Shaffer
2019-12-10 11:16 ` Philip Oakley
2019-12-10 17:21 ` Philip Oakley
2019-12-10 2:33 ` [PATCH 3/6] hook: add --list mode Emily Shaffer
2019-12-12 9:38 ` Bert Wesarg
2019-12-12 10:58 ` SZEDER Gábor
2019-12-10 2:33 ` [PATCH 4/6] hook: support reordering of hook list Emily Shaffer
2019-12-11 19:21 ` Junio C Hamano
2019-12-10 2:33 ` [PATCH 5/6] hook: remove prior hook with '---' Emily Shaffer
2019-12-10 2:33 ` [PATCH 6/6] hook: teach --porcelain mode Emily Shaffer
2019-12-11 19:33 ` Junio C Hamano
2019-12-11 22:00 ` Emily Shaffer
2019-12-11 22:07 ` Junio C Hamano
2019-12-11 23:15 ` Emily Shaffer
2019-12-11 22:42 ` [PATCH 0/6] configuration-based hook management Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200425205727.GB6421@camp.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=avarab@gmail.com \
--cc=emilyshaffer@google.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=james@jramsay.com.au \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
--cc=phillip.wood123@gmail.com \
--cc=steadmon@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).