From 6f5748c50752e4b1f99d532a34a57bd773e466b8 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Mon, 2 Sep 2024 18:28:00 +0800 Subject: [PATCH] Prevent update pull refs manually and will not affect other refs update (#31931) (#31955) Backport #31931 by @lunny All refs under `refs/pull` should only be changed from Gitea inside but not by pushing from outside of Gitea. This PR will prevent the pull refs update but allow other refs to be updated on the same pushing with `--mirror` operations. The main changes are to add checks on `update` hook but not `pre-receive` because `update` will be invoked by every ref but `pre-receive` will revert all changes once one ref update fails. Co-authored-by: Lunny Xiao --- cmd/hook.go | 14 ++++++++++++++ tests/integration/git_push_test.go | 22 ++++++++++++++++++++++ tests/test_utils.go | 1 + 3 files changed, 37 insertions(+) diff --git a/cmd/hook.go b/cmd/hook.go index 6e31710caf..e8a8b1f4ad 100644 --- a/cmd/hook.go +++ b/cmd/hook.go @@ -290,8 +290,22 @@ Gitea or set your environment appropriately.`, "") return nil } +// runHookUpdate avoid to do heavy operations on update hook because it will be +// invoked for every ref update which does not like pre-receive and post-receive func runHookUpdate(c *cli.Context) error { + if isInternal, _ := strconv.ParseBool(os.Getenv(repo_module.EnvIsInternal)); isInternal { + return nil + } + // Update is empty and is kept only for backwards compatibility + if len(os.Args) < 3 { + return nil + } + refName := git.RefName(os.Args[len(os.Args)-3]) + if refName.IsPull() { + // ignore update to refs/pull/xxx/head, so we don't need to output any information + os.Exit(1) + } return nil } diff --git a/tests/integration/git_push_test.go b/tests/integration/git_push_test.go index da254fc88f..dc0b52203a 100644 --- a/tests/integration/git_push_test.go +++ b/tests/integration/git_push_test.go @@ -6,8 +6,10 @@ package integration import ( "fmt" "net/url" + "strings" "testing" + auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" git_model "code.gitea.io/gitea/models/git" "code.gitea.io/gitea/models/unittest" @@ -192,3 +194,23 @@ func runTestGitPush(t *testing.T, u *url.URL, gitOperation func(t *testing.T, gi require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID)) } + +func TestPushPullRefs(t *testing.T) { + onGiteaRun(t, func(t *testing.T, u *url.URL) { + baseAPITestContext := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser) + + u.Path = baseAPITestContext.GitPath() + u.User = url.UserPassword("user2", userPassword) + + dstPath := t.TempDir() + doGitClone(dstPath, u)(t) + + cmd := git.NewCommand(git.DefaultContext, "push", "--delete", "origin", "refs/pull/2/head") + stdout, stderr, err := cmd.RunStdString(&git.RunOpts{ + Dir: dstPath, + }) + assert.Error(t, err) + assert.Empty(t, stdout) + assert.False(t, strings.Contains(stderr, "[deleted]"), "stderr: %s", stderr) + }) +} diff --git a/tests/test_utils.go b/tests/test_utils.go index 66a287ecad..6f9592b204 100644 --- a/tests/test_utils.go +++ b/tests/test_utils.go @@ -223,6 +223,7 @@ func PrepareTestEnv(t testing.TB, skip ...int) func() { _ = os.MkdirAll(filepath.Join(setting.RepoRootPath, ownerDir.Name(), repoDir.Name(), "objects", "info"), 0o755) _ = os.MkdirAll(filepath.Join(setting.RepoRootPath, ownerDir.Name(), repoDir.Name(), "refs", "heads"), 0o755) _ = os.MkdirAll(filepath.Join(setting.RepoRootPath, ownerDir.Name(), repoDir.Name(), "refs", "tag"), 0o755) + _ = os.MkdirAll(filepath.Join(setting.RepoRootPath, ownerDir.Name(), repoDir.Name(), "refs", "pull"), 0o755) } }