[PATCH] test-lib: set GIT_CEILING_DIRECTORIES to protect the surrounding repository

[PATCH] test-lib: set GIT_CEILING_DIRECTORIES to protect the surrounding repository

[SZEDER Gábor]

Every once in a while a test somehow manages to escape from its trash
directory and modifies the surrounding repository, whether because of
a bug in git itself, a bug in a test [1], or e.g. when trying to run
tests with a shell that is, in general, unable to run our tests [2].

Set GIT_CEILING_DIRECTORIES="$GIT_BUILD_DIR" as an additional safety
measure to protect the surrounding repository at least from
modifications by git commands executed in the tests (though it won't
save us from regular shell commands, e.g. 'cd .. && rm -f ...').

[1] e.g. https://public-inbox.org/git/20210423051255.GD2947267@szeder.dev
[2] $ git symbolic-ref HEAD
    refs/heads/master
    $ ksh ./t2011-checkout-invalid-head.sh
    [... a lot of "not ok" ...]
    $ git symbolic-ref HEAD
    refs/heads/other

    (In short: 'ksh' doesn't support the 'local' builtin command,
    which is used by 'test_oid', causing it to return with error
    whenever called, leaving ZERO_OID set to empty, so when 'checkout
    main from invalid HEAD' runs 'echo $ZERO_OID >.git/HEAD' writes a
    corrupt (not invalid) HEAD, and subsequent git commands don't
    recognize the repository in the trash directory anymore, but
    operate on the surrounding repo.)

Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
---
 t/test-lib.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/t/test-lib.sh b/t/test-lib.sh
index abcfbed6d6..a1e0182c2f 100644
--- a/t/test-lib.sh
+++ b/t/test-lib.sh
@@ -1343,7 +1343,8 @@ fi
 GIT_TEMPLATE_DIR="$GIT_BUILD_DIR"/templates/blt
 GIT_CONFIG_NOSYSTEM=1
 GIT_ATTR_NOSYSTEM=1
-export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM
+GIT_CEILING_DIRECTORIES="$GIT_BUILD_DIR"
+export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM GIT_CEILING_DIRECTORIES
 
 if test -z "$GIT_TEST_CMP"
 then
-- 
2.33.0.358.g803110d36e

Re: [PATCH] test-lib: set GIT_CEILING_DIRECTORIES to protect the surrounding repository

[Carlo Arenas]

On Sat, Aug 28, 2021 at 5:15 AM SZEDER Gábor <szeder.dev@gmail.com> wrote:
> diff --git a/t/test-lib.sh b/t/test-lib.sh
> index abcfbed6d6..a1e0182c2f 100644
> --- a/t/test-lib.sh
> +++ b/t/test-lib.sh
> @@ -1343,7 +1343,8 @@ fi
>  GIT_TEMPLATE_DIR="$GIT_BUILD_DIR"/templates/blt
>  GIT_CONFIG_NOSYSTEM=1
>  GIT_ATTR_NOSYSTEM=1
> -export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM
> +GIT_CEILING_DIRECTORIES="$GIT_BUILD_DIR"

this wouldn't work as expected with --root and would be IMHO safer
anyway if using instead

  GIT_CEILING_DIRECTORIES="$TRASH_DIRECTORY/.."

Carlo

Re: [PATCH] test-lib: set GIT_CEILING_DIRECTORIES to protect the surrounding repository

[SZEDER Gábor]

On Sat, Aug 28, 2021 at 12:56:24PM -0700, Carlo Arenas wrote:
> On Sat, Aug 28, 2021 at 5:15 AM SZEDER Gábor <szeder.dev@gmail.com> wrote:
> > diff --git a/t/test-lib.sh b/t/test-lib.sh
> > index abcfbed6d6..a1e0182c2f 100644
> > --- a/t/test-lib.sh
> > +++ b/t/test-lib.sh
> > @@ -1343,7 +1343,8 @@ fi
> >  GIT_TEMPLATE_DIR="$GIT_BUILD_DIR"/templates/blt
> >  GIT_CONFIG_NOSYSTEM=1
> >  GIT_ATTR_NOSYSTEM=1
> > -export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM
> > +GIT_CEILING_DIRECTORIES="$GIT_BUILD_DIR"
> 
> this wouldn't work as expected with --root and would be IMHO safer
> anyway if using instead
> 
>   GIT_CEILING_DIRECTORIES="$TRASH_DIRECTORY/.."

Thanks, I completely forgot about '--root'.

[PATCH v2] test-lib: set GIT_CEILING_DIRECTORIES to protect the surrounding repository

[SZEDER Gábor]

Every once in a while a test somehow manages to escape from its trash
directory and modifies the surrounding repository, whether because of
a bug in git itself, a bug in a test [1], or e.g. when trying to run
tests with a shell that is, in general, unable to run our tests [2].

Set GIT_CEILING_DIRECTORIES="$TRASH_DIRECTORY/.." as an additional
safety measure to protect the surrounding repository at least from
modifications by git commands executed in the tests (assuming that
handling of ceiling directories during repository discovery is not
broken, and, of course, it won't save us from regular shell commands,
e.g. 'cd .. && rm -f ...').

[1] e.g. https://public-inbox.org/git/20210423051255.GD2947267@szeder.dev
[2] $ git symbolic-ref HEAD
    refs/heads/master
    $ ksh ./t2011-checkout-invalid-head.sh
    [... a lot of "not ok" ...]
    $ git symbolic-ref HEAD
    refs/heads/other

    (In short: 'ksh' doesn't support the 'local' builtin command,
    which is used by 'test_oid', causing it to return with error
    whenever it's called, leaving ZERO_OID set to empty, so when the
    test 'checkout main from invalid HEAD' runs 'echo $ZERO_OID
    >.git/HEAD' it writes a corrupt (not invalid) HEAD, and subsequent
    git commands don't recognize the repository in the trash directory
    anymore, but operate on the surrounding repo.)

Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
---
Changes since v1:
 - Set "$TRASH_DIRECTORY/.." instead of $GIT_BUILD_DIR.
 - Minor commit message tweaks.

 t/test-lib.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/t/test-lib.sh b/t/test-lib.sh
index abcfbed6d6..fc1e521519 100644
--- a/t/test-lib.sh
+++ b/t/test-lib.sh
@@ -1343,7 +1343,8 @@ fi
 GIT_TEMPLATE_DIR="$GIT_BUILD_DIR"/templates/blt
 GIT_CONFIG_NOSYSTEM=1
 GIT_ATTR_NOSYSTEM=1
-export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM
+GIT_CEILING_DIRECTORIES="$TRASH_DIRECTORY/.."
+export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM GIT_CEILING_DIRECTORIES
 
 if test -z "$GIT_TEST_CMP"
 then
-- 
2.33.0.361.g6f8e582daa

Re: [PATCH v2] test-lib: set GIT_CEILING_DIRECTORIES to protect the surrounding repository

[Ævar Arnfjörð Bjarmason]

On Sun, Aug 29 2021, SZEDER Gábor wrote:

> Every once in a while a test somehow manages to escape from its trash
> directory and modifies the surrounding repository, whether because of
> a bug in git itself, a bug in a test [1], or e.g. when trying to run
> tests with a shell that is, in general, unable to run our tests [2].
>
> Set GIT_CEILING_DIRECTORIES="$TRASH_DIRECTORY/.." as an additional
> safety measure to protect the surrounding repository at least from
> modifications by git commands executed in the tests (assuming that
> handling of ceiling directories during repository discovery is not
> broken, and, of course, it won't save us from regular shell commands,
> e.g. 'cd .. && rm -f ...').
>
> [1] e.g. https://public-inbox.org/git/20210423051255.GD2947267@szeder.dev
> [2] $ git symbolic-ref HEAD
>     refs/heads/master
>     $ ksh ./t2011-checkout-invalid-head.sh
>     [... a lot of "not ok" ...]
>     $ git symbolic-ref HEAD
>     refs/heads/other
>
>     (In short: 'ksh' doesn't support the 'local' builtin command,
>     which is used by 'test_oid', causing it to return with error
>     whenever it's called, leaving ZERO_OID set to empty, so when the
>     test 'checkout main from invalid HEAD' runs 'echo $ZERO_OID
>     >.git/HEAD' it writes a corrupt (not invalid) HEAD, and subsequent
>     git commands don't recognize the repository in the trash directory
>     anymore, but operate on the surrounding repo.)
>
> Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
> ---
> Changes since v1:
>  - Set "$TRASH_DIRECTORY/.." instead of $GIT_BUILD_DIR.
>  - Minor commit message tweaks.
>
>  t/test-lib.sh | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/t/test-lib.sh b/t/test-lib.sh
> index abcfbed6d6..fc1e521519 100644
> --- a/t/test-lib.sh
> +++ b/t/test-lib.sh
> @@ -1343,7 +1343,8 @@ fi
>  GIT_TEMPLATE_DIR="$GIT_BUILD_DIR"/templates/blt
>  GIT_CONFIG_NOSYSTEM=1
>  GIT_ATTR_NOSYSTEM=1
> -export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM
> +GIT_CEILING_DIRECTORIES="$TRASH_DIRECTORY/.."
> +export PATH GIT_EXEC_PATH GIT_TEMPLATE_DIR GIT_CONFIG_NOSYSTEM GIT_ATTR_NOSYSTEM GIT_CEILING_DIRECTORIES
>  
>  if test -z "$GIT_TEST_CMP"
>  then

For what it's worth I'm very happy with this, and have been running this
in my own daily build of git, I've occasionally ran into e.g. needing to
manually clean up my own git.git's config file because some test escaped
its trash directory.

Re: [PATCH v2] test-lib: set GIT_CEILING_DIRECTORIES to protect the surrounding repository

[SZEDER Gábor]

On Tue, Aug 31, 2021 at 04:40:39PM +0200, Ævar Arnfjörð Bjarmason wrote:
> 
> On Sun, Aug 29 2021, SZEDER Gábor wrote:
> 
> > Every once in a while a test somehow manages to escape from its trash
> > directory and modifies the surrounding repository, whether because of
> > a bug in git itself, a bug in a test [1], or e.g. when trying to run
> > tests with a shell that is, in general, unable to run our tests [2].
> >
> > Set GIT_CEILING_DIRECTORIES="$TRASH_DIRECTORY/.." as an additional
> > safety measure to protect the surrounding repository at least from
> > modifications by git commands executed in the tests (assuming that
> > handling of ceiling directories during repository discovery is not
> > broken, and, of course, it won't save us from regular shell commands,
> > e.g. 'cd .. && rm -f ...').

> For what it's worth I'm very happy with this, and have been running this
> in my own daily build of git, I've occasionally ran into e.g. needing to
> manually clean up my own git.git's config file because some test escaped
> its trash directory.

Thanks, that's a good point.

After a test escapes from its trash directory I routinely check the
content of the work tree and look for stray refs, but it never occured
to me that I should look at the config, too.  And indeed, at the
bottom of .git/config there are two config variables that I don't
remember setting (actually don't even know what they do).