Skip to content

Allow hooks to be provided in separate gems #498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Allow hooks to be provided in separate gems #498

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions lib/overcommit/configuration.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
require 'digest'
require 'json'
require 'English'
Copy link
Owner

@sds sds Jul 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure this is necessary? I'm able to access $LOAD_PATH in an IRB session without require 'English'.

Copy link
Author

@saverio-kantox saverio-kantox Sep 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably have English loaded by IRB itself. I have been bitten by this previously, so now I require English whenever I use english global constants.


module Overcommit
# Stores configuration for Overcommit and the hooks it runs.
Expand Down Expand Up @@ -264,8 +265,10 @@ def ad_hoc_hook?(hook_context, hook_name)
def built_in_hook?(hook_context, hook_name)
hook_name = Overcommit::Utils.snake_case(hook_name)

File.exist?(File.join(Overcommit::HOME, 'lib', 'overcommit', 'hook',
hook_context.hook_type_name, "#{hook_name}.rb"))
$LOAD_PATH.any? do |dir|
Copy link
Owner

@sds sds Jul 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wary of this approach because it bypasses the standard mechanism for loading hook plugins, which ensures the source code of the plugins is properly signed.

By allowing code loading this way, an attacker can easily inject malicious code by simply adding a gem to the Gemfile specified in the .overcommit.yml gemfile option. We need to have a more explicit way of specifying which code is loaded so that Overcommit can properly sign the hooks to protect against this attack.

File.exist?(File.join(dir, 'overcommit', 'hook',
hook_context.hook_type_name, "#{hook_name}.rb"))
end
end

def hook_exists?(hook_context, hook_name)
Expand Down