Skip to content

Allow hooks to be provided in separate gems #498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Allow hooks to be provided in separate gems #498

wants to merge 1 commit into from

Conversation

@saverio-kantox
Copy link

@saverio-kantox saverio-kantox commented Jul 11, 2017

When you have several repositories, and a set of common hooks, it is very complex to update all the hooks in each repository. With this change, "built in" hooks are searched in the whole load path, so the user can put one or more hooks in a gem and manage them consistently

@saverio-kantox
Allow hooks to be provided in separate gems
9a922f5 
When you have several repositories, and a set of common hooks, it is very complex to update all the hooks in each repository. With this change, "built in" hooks are searched in the whole load path, so the user can put one or more hooks in a gem and manage them consistently
sds
sds reviewed Jul 15, 2017
View reviewed changes
Copy link
Owner

@sds sds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @saverio-kantox.

I absolutely agree that Overcommit should make it easy to share hooks via gems. Unfortunately, the implementation here bypasses some security protections, so I'd like to see this solved in a more comprehensive way.

lib/overcommit/configuration.rb
@@ -1,5 +1,6 @@
require 'digest'
require 'json'
require 'English'
Copy link
Owner

@sds sds Jul 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure this is necessary? I'm able to access $LOAD_PATH in an IRB session without require 'English'.

Copy link
Author

@saverio-kantox saverio-kantox Sep 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably have English loaded by IRB itself. I have been bitten by this previously, so now I require English whenever I use english global constants.

lib/overcommit/configuration.rb

File.exist?(File.join(Overcommit::HOME, 'lib', 'overcommit', 'hook',
hook_context.hook_type_name, "#{hook_name}.rb"))
$LOAD_PATH.any? do |dir|
Copy link
Owner

@sds sds Jul 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wary of this approach because it bypasses the standard mechanism for loading hook plugins, which ensures the source code of the plugins is properly signed.

By allowing code loading this way, an attacker can easily inject malicious code by simply adding a gem to the Gemfile specified in the .overcommit.yml gemfile option. We need to have a more explicit way of specifying which code is loaded so that Overcommit can properly sign the hooks to protect against this attack.

@sds
Copy link
Owner

sds commented Aug 5, 2017

As mentioned in previous comments, we're definitely open to this feature, but we'd like an implementation that doesn't bypass the security provided by hook signing.

Feel free to open another PR. Thanks!

@sds sds closed this Aug 5, 2017
@sds sds added the enhancement label Aug 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sds sds sds left review comments

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saverio-kantox @sds