Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

[Backport 5.0] gitserver: use cat-file for reading blobs containing ..#52688

Merged
keegancsmith merged 2 commits into
5.0from
backport-52605-to-5.0
May 31, 2023
Merged

[Backport 5.0] gitserver: use cat-file for reading blobs containing ..#52688
keegancsmith merged 2 commits into
5.0from
backport-52605-to-5.0

Conversation

@github-actions

@github-actions github-actions Bot commented May 31, 2023

Copy link
Copy Markdown
Contributor

We special case ".." in path to running a less efficient two commands. For other paths we can rely on the faster git show.

git show will try and resolve revisions on anything containing "..". Depending on what branches/files exist, this can lead to:

  • error: object $SHA is a tree, not a commit
  • fatal: Invalid symmetric difference expression $SHA:$name
  • outputting a diff instead of the file

The last point is a security issue for repositories with sub-repo permissions since the diff will not be filtered.

Test Plan: wrote tests and test e2e

Backport 9d52321 from #52605

@keegancsmith @github-actions
gitserver: use cat-file for reading blobs containing .. (#52605)
b08dd45 
We special case ".." in path to running a less efficient two commands.
For other paths we can rely on the faster git show.

git show will try and resolve revisions on anything containing "..".
Depending on what branches/files exist, this can lead to:

- error: object $SHA is a tree, not a commit
- fatal: Invalid symmetric difference expression $SHA:$name
- outputting a diff instead of the file

The last point is a security issue for repositories with sub-repo
permissions since the diff will not be filtered.

Test Plan: wrote tests and test e2e

(cherry picked from commit 9d52321)
@github-actions github-actions Bot requested a review from keegancsmith May 31, 2023 10:06
@keegancsmith keegancsmith enabled auto-merge (squash) May 31, 2023 11:42
@sourcegraph-bot

sourcegraph-bot commented May 31, 2023

Copy link
Copy Markdown
Contributor

Codenotify: Notifying subscribers in CODENOTIFY files for diff 00d83fe...e3c8de3.

Notify File(s)
@indradhanush internal/gitserver/commands.go
internal/gitserver/commands_test.go
@sashaostrikov internal/gitserver/commands.go
internal/gitserver/commands_test.go

@keegancsmith keegancsmith merged commit 86b00e9 into 5.0 May 31, 2023
@keegancsmith keegancsmith deleted the backport-52605-to-5.0 branch May 31, 2023 12:48
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@keegancsmith keegancsmith keegancsmith approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backports cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sourcegraph-bot @keegancsmith