pathspec: problems with too long command line

pathspec: problems with too long command line

[Marc Strapetz]

 From our GUI client we are invoking git operations on a possibly large 
set of files. This may result in pathspecs which are exceeding the 
maximum command line length, especially on Windows [1] and OSX [2]. To 
workaround this problem we are currently splitting up such operations by 
invoking multiple git commands. This works well for some commands (like 
add), but doesn't work well for others (like commit).

A possible solution could be to add another patchspec magic word which 
will read paths from a file instead of command line. A similar approach 
can be found in Mercurial with its "listfile:" pattern [3].

Does that sound reasonable? If so, we should be able to provide a 
corresponding patch.

-Marc

[1] https://blogs.msdn.microsoft.com/oldnewthing/20031210-00/?p=41553/
[2] https://serverfault.com/questions/69430
[3] https://www.mercurial-scm.org/repo/hg/help/patterns

Re: pathspec: problems with too long command line

[Jeff King]

On Wed, Nov 21, 2018 at 10:23:34AM +0100, Marc Strapetz wrote:

> From our GUI client we are invoking git operations on a possibly large set
> of files. This may result in pathspecs which are exceeding the maximum
> command line length, especially on Windows [1] and OSX [2]. To workaround
> this problem we are currently splitting up such operations by invoking
> multiple git commands. This works well for some commands (like add), but
> doesn't work well for others (like commit).
> 
> A possible solution could be to add another patchspec magic word which will
> read paths from a file instead of command line. A similar approach can be
> found in Mercurial with its "listfile:" pattern [3].
> 
> Does that sound reasonable? If so, we should be able to provide a
> corresponding patch.

Quite a few commands take --stdin, which can be used to send pathspecs
(and often other stuff) without size limits. I don't think either
"commit" or "add" does, but that might be another route.

I'm slightly nervous at a pathspec that starts reading arbitrary files,
because I suspect there may be interesting ways to abuse it for services
which expose Git. E.g., if I have a web service which can show the
history of a file, I might take a $file parameter from the client and
run "git rev-list -- $file" (handling shell quoting, of course). That's
OK now, but with the proposed pathspec magic, a malicious user could ask
for ":(from-file=/etc/passwd)" or whatever.

I dunno. Maybe that is overly paranoid, and certainly servers like that
are a subset of users. And perhaps such servers should be specifying
GIT_LITERAL_PATHSPECS=1 anyway.

-Peff

Re: pathspec: problems with too long command line

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> On Wed, Nov 21, 2018 at 10:23:34AM +0100, Marc Strapetz wrote:
>
>> From our GUI client we are invoking git operations on a possibly large set
>> of files. ...
>> command line length, especially on Windows [1] and OSX [2]. To workaround
>> this problem we are currently splitting up such operations by invoking
>> multiple git commands. This works well for some commands (like add), but
>> doesn't work well for others (like commit).

> Quite a few commands take --stdin, which can be used to send pathspecs
> (and often other stuff) without size limits. I don't think either
> "commit" or "add" does, but that might be another route.

A GUI client, like your server, should not be using end-user facing
Porcelain commands like "add" and "commit" anyway.  In the standard
"update-index" followed by "write-tree" followed-by "commit-tree"
followed by "update-ref" sequence, the only thing that needs to take
pathspec is the update-index step, and it already does take --stdin.

In any case, I share your gut feeling that this should not be a
magic pathspec, but should instead be "--stdin[-paths]", for command
line parsing's sanity.  Catchng random strings that begin with
double dash as fishy is much simpler and more robust than having to
tell if a string that is a risky or a benign magic pathspec.

Re: pathspec: problems with too long command line

[Marc Strapetz]

On 21.11.2018 14:37, Junio C Hamano wrote:
> Jeff King <peff@peff.net> writes:
> 
>> On Wed, Nov 21, 2018 at 10:23:34AM +0100, Marc Strapetz wrote:
>>
>>>  From our GUI client we are invoking git operations on a possibly large set
>>> of files. ...
>>> command line length, especially on Windows [1] and OSX [2]. To workaround
>>> this problem we are currently splitting up such operations by invoking
>>> multiple git commands. This works well for some commands (like add), but
>>> doesn't work well for others (like commit).
> 
>> Quite a few commands take --stdin, which can be used to send pathspecs
>> (and often other stuff) without size limits. I don't think either
>> "commit" or "add" does, but that might be another route.
> 
> A GUI client, like your server, should not be using end-user facing
> Porcelain commands like "add" and "commit" anyway.  In the standard
> "update-index" followed by "write-tree" followed-by "commit-tree"
> followed by "update-ref" sequence, the only thing that needs to take
> pathspec is the update-index step, and it already does take --stdin.

In our case it's a desktop client. We didn't consider using plumbing 
commands in general but only in cases where no appropriate high level 
commands exist. One reason for this decision was definitely a lack of 
our understanding in the beginning (which is no excuse anymore :). 
Another reason is that our users have quite frequently requested to see 
invoked Git commands, for their own understanding and learning. I think 
this argument remains valid. A third reason is to reduce process 
invocations. Although we are quite experienced Git users now, one final 
reason may be that it's still desirable to rely on additional validation 
in high level commands.

Summed up, I would prefer to find a solution which allows to stick with 
"git add"s, "git commit"s, "git checkout"s, ... and providing 
--stdin-paths alternatively to <pathspec> would be a good solution from 
a GUI client developer's perspective. I'm probably too biased to see 
whether it will be beneficial to standalone Git, too?

>> I'm slightly nervous at a pathspec that starts reading arbitrary files,
>> because I suspect there may be interesting ways to abuse it for services
>> which expose Git. E.g., if I have a web service which can show the
>> history of a file, I might take a $file parameter from the client and
>> run "git rev-list -- $file" (handling shell quoting, of course). That's
>> OK now, but with the proposed pathspec magic, a malicious user could ask
>> for ":(from-file=/etc/passwd)" or whatever.
> 
> In any case, I share your gut feeling that this should not be a
> magic pathspec, but should instead be "--stdin[-paths]", for command
> line parsing's sanity.  Catchng random strings that begin with
> double dash as fishy is much simpler and more robust than having to
> tell if a string that is a risky or a benign magic pathspec.

These are interesting points. Then --stdin[-paths] is definitely the 
better choice.

-Marc