protect protected branched to force updates #128

Popl7 · 2014-01-28T21:44:26Z

this is a first (working) setup.
There are changes to the api from gitlab-ce.
I will post a PR for this as well. (#6190 gitlabhq/gitlabhq#6190)

Tests must be made.

coveralls · 2014-01-28T21:48:43Z

Coverage remained the same when pulling 5f14f42 on Popl7:add-better-branch-protection-against-history-rewrite-and-deletion into 56e216f on gitlabhq:master.

jacobvosmaer · 2014-02-19T10:16:22Z

lib/gitlab_update.rb

@@ -22,6 +22,11 @@ def initialize(repo_path, key_id, refname)
    @newrev  = ARGV[2]
  end

+  def forced_push?
+    unknow_refs = `git rev-list #{ @oldrev }..#{ @newrev }`


This is insecure. You should use:

unknow_refs = IO.popen(%W(git rev-list #{@oldrev}..#{@newrev} --)).read

The -- makes it clear to git that #{@oldrev}..#{@newrev} specifies a commit range. The IO.popen(%W(...)) avoids shell injection caused by incorrect tokenization.

Also, shouldn't the order of the refs be git rev-list oldrev ^newrev?

I am not sure. I believe this checks if there are commits on old that aren't part of new.

I just checked: you are right.
According to the git manual about hooks it should be:

missed_refs = IO.popen(%W(git rev-list #{@newrev}..#{@oldrev} --)).read missed_refs.split("\n").size > 0

@Popl7 newrev..oldrev looks good. I think the line we are discussing has it turned around (oldrev..newrev).

coveralls · 2014-02-26T23:36:07Z

Coverage decreased (-1.01%) when pulling 0eac27b on Popl7:add-better-branch-protection-against-history-rewrite-and-deletion into 79bceae on gitlabhq:master.

dzaporozhets · 2014-03-03T08:50:07Z

@Popl7 does it affects both git over http and git over ssh?

Popl7 · 2014-03-03T09:07:11Z

I am not sure. It works from the post-commit hook that is already used for the checking of authorization of the repo.

jacobvosmaer · 2014-03-03T10:16:20Z

lib/gitlab_update.rb

+  def forced_push?
+    missed_refs = IO.popen(%W(git rev-list #{@newrev}..#{@oldrev} --)).read
+    missed_refs.split("\n").size > 0
+  end


@randx 👍 for the IO.popen

dzaporozhets · 2014-03-11T15:15:29Z

@Popl7 can you check tests?

Popl7 · 2014-03-11T17:35:24Z

I will try to make some tests

Op 11 mrt. 2014 om 16:15 heeft Dmitriy Zaporozhets notifications@github.com het volgende geschreven:

@Popl7 can you check tests?

—
Reply to this email directly or view it on GitHub.

dzaporozhets · 2014-03-25T08:33:16Z

@Popl7 Can you add some tests and make it mergeable?

Popl7 · 2014-03-25T08:34:21Z

hi Dimitri,

I can work on this tonight and try to get it mergable.

On 25 mrt. 2014, at 09:33, Dmitriy Zaporozhets notifications@github.com wrote:

@Popl7 Can you add some tests and make it mergeable?

—
Reply to this email directly or view it on GitHub.

rebased for new code

dzaporozhets · 2014-03-26T08:08:41Z

@Popl7 thanks. Ping me when ready

…st-history-rewrite-and-deletion protect protected branched to force updates

dzaporozhets · 2014-04-03T12:01:37Z

wow it does not work

dzaporozhets · 2014-04-03T12:01:56Z

lib/gitlab_update.rb

  def exec
    # reset GL_ID env since we already
    # get value from it
    ENV['GL_ID'] = nil

-    if api.allowed?('git-receive-pack', @repo_name, @actor, @ref_name, @oldrev, @newrev)
+    if api.allowed?('git-receive-pack', @repo_name, @actor, @ref_name, @oldrev, @newrev, forced_push)


no such variable forced_push

dzaporozhets · 2014-04-03T12:02:18Z

also it do not pass force_push variable via net

dzaporozhets · 2014-04-03T12:03:16Z

Fixed by d299e7e

Popl7 mentioned this pull request Jan 28, 2014

protect protected branched to force updates gitlabhq/gitlabhq#6190

Merged

jacobvosmaer reviewed Feb 19, 2014
View reviewed changes

jacobvosmaer reviewed Mar 3, 2014
View reviewed changes

first setup to protect protected branched to force updates

f79bb5a

rebased for new code

dzaporozhets added a commit that referenced this pull request Apr 3, 2014

Merge pull request #128 from Popl7/add-better-branch-protection-again…

d5adeb1

…st-history-rewrite-and-deletion protect protected branched to force updates

dzaporozhets merged commit d5adeb1 into gitlabhq:master Apr 3, 2014

dzaporozhets reviewed Apr 3, 2014
View reviewed changes

Popl7 deleted the add-better-branch-protection-against-history-rewrite-and-deletion branch April 3, 2014 12:06

protect protected branched to force updates #128

protect protected branched to force updates #128

Uh oh!

Conversation

Popl7 commented Jan 28, 2014

Uh oh!

coveralls commented Jan 28, 2014

Uh oh!

jacobvosmaer Feb 19, 2014

Choose a reason for hiding this comment

Uh oh!

jacobvosmaer Feb 19, 2014

Choose a reason for hiding this comment

Uh oh!

Popl7 Feb 19, 2014

Choose a reason for hiding this comment

Uh oh!

jacobvosmaer Feb 20, 2014

Choose a reason for hiding this comment

Uh oh!

coveralls commented Feb 26, 2014

Uh oh!

dzaporozhets commented Mar 3, 2014

Uh oh!

Popl7 commented Mar 3, 2014

Uh oh!

jacobvosmaer Mar 3, 2014

Choose a reason for hiding this comment

Uh oh!

dzaporozhets commented Mar 11, 2014

Uh oh!

Popl7 commented Mar 11, 2014

Uh oh!

dzaporozhets commented Mar 25, 2014

Uh oh!

Popl7 commented Mar 25, 2014

Uh oh!

dzaporozhets commented Mar 26, 2014

Uh oh!

dzaporozhets commented Apr 3, 2014

Uh oh!

dzaporozhets Apr 3, 2014

Choose a reason for hiding this comment

Uh oh!

dzaporozhets commented Apr 3, 2014

Uh oh!

dzaporozhets commented Apr 3, 2014

Uh oh!

Uh oh!