 a8cc594333
			
		
	
	a8cc594333
	
	
	
		
			
			Fix a Time-of-check to time-of-use (TOCTOU) race in code added in680ee550d7(commit: skip discarding the index if there is no pre-commit hook, 2017-08-14). This obscure race condition can occur if we e.g. ran the "pre-commit" hook and it modified the index, but hook_exists() returns false later on (e.g., because the hook itself went away, the directory became unreadable, etc.). Then we won't call discard_cache() when we should have. The race condition itself probably doesn't matter, and users would have been unlikely to run into it in practice. This problem has been noted on-list when680ee550d7was discussed[1], but had not been fixed. This change is mainly intended to improve the readability of the code involved, and to make reasoning about it more straightforward. It wasn't as obvious what we were trying to do here, but by having an "invoked_hook" it's clearer that e.g. our discard_cache() is happening because of the earlier hook execution. Let's also change this for the push-to-checkout hook. Now instead of checking if the hook exists and either doing a push to checkout or a push to deploy we'll always attempt a push to checkout. If the hook doesn't exist we'll fall back on push to deploy. The same behavior as before, without the TOCTOU race. See0855331941(receive-pack: support push-to-checkout hook, 2014-12-01) for the introduction of the previous behavior. This leaves uses of hook_exists() in two places that matter. The "reference-transaction" check in refs.c, see6754159767(refs: implement reference transaction hook, 2020-06-19), and the "prepare-commit-msg" hook, see66618a50f9(sequencer: run 'prepare-commit-msg' hook, 2018-01-24). In both of those cases we're saving ourselves CPU time by not preparing data for the hook that we'll then do nothing with if we don't have the hook. So using this "invoked_hook" pattern doesn't make sense in those cases. The "reference-transaction" and "prepare-commit-msg" hook also aren't racy. In those cases we'll skip the hook runs if we race with a new hook being added, whereas in the TOCTOU races being fixed here we were incorrectly skipping the required post-hook logic. 1. https://lore.kernel.org/git/20170810191613.kpmhzg4seyxy3cpq@sigill.intra.peff.net/ Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
		
			
				
	
	
		
			86 lines
		
	
	
		
			2.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			86 lines
		
	
	
		
			2.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| #ifndef HOOK_H
 | |
| #define HOOK_H
 | |
| #include "strvec.h"
 | |
| 
 | |
| struct run_hooks_opt
 | |
| {
 | |
| 	/* Environment vars to be set for each hook */
 | |
| 	struct strvec env;
 | |
| 
 | |
| 	/* Args to be passed to each hook */
 | |
| 	struct strvec args;
 | |
| 
 | |
| 	/* Emit an error if the hook is missing */
 | |
| 	unsigned int error_if_missing:1;
 | |
| 
 | |
| 	/**
 | |
| 	 * An optional initial working directory for the hook,
 | |
| 	 * translates to "struct child_process"'s "dir" member.
 | |
| 	 */
 | |
| 	const char *dir;
 | |
| 
 | |
| 	/**
 | |
| 	 * A pointer which if provided will be set to 1 or 0 depending
 | |
| 	 * on if a hook was started, regardless of whether or not that
 | |
| 	 * was successful. I.e. if the underlying start_command() was
 | |
| 	 * successful this will be set to 1.
 | |
| 	 *
 | |
| 	 * Used for avoiding TOCTOU races in code that would otherwise
 | |
| 	 * call hook_exist() after a "maybe hook run" to see if a hook
 | |
| 	 * was invoked.
 | |
| 	 */
 | |
| 	int *invoked_hook;
 | |
| };
 | |
| 
 | |
| #define RUN_HOOKS_OPT_INIT { \
 | |
| 	.env = STRVEC_INIT, \
 | |
| 	.args = STRVEC_INIT, \
 | |
| }
 | |
| 
 | |
| struct hook_cb_data {
 | |
| 	/* rc reflects the cumulative failure state */
 | |
| 	int rc;
 | |
| 	const char *hook_name;
 | |
| 	const char *hook_path;
 | |
| 	struct run_hooks_opt *options;
 | |
| };
 | |
| 
 | |
| /*
 | |
|  * Returns the path to the hook file, or NULL if the hook is missing
 | |
|  * or disabled. Note that this points to static storage that will be
 | |
|  * overwritten by further calls to find_hook and run_hook_*.
 | |
|  */
 | |
| const char *find_hook(const char *name);
 | |
| 
 | |
| /**
 | |
|  * A boolean version of find_hook()
 | |
|  */
 | |
| int hook_exists(const char *hookname);
 | |
| 
 | |
| /**
 | |
|  * Takes a `hook_name`, resolves it to a path with find_hook(), and
 | |
|  * runs the hook for you with the options specified in "struct
 | |
|  * run_hooks opt". Will free memory associated with the "struct run_hooks_opt".
 | |
|  *
 | |
|  * Returns the status code of the run hook, or a negative value on
 | |
|  * error().
 | |
|  */
 | |
| int run_hooks_opt(const char *hook_name, struct run_hooks_opt *options);
 | |
| 
 | |
| /**
 | |
|  * A wrapper for run_hooks_opt() which provides a dummy "struct
 | |
|  * run_hooks_opt" initialized with "RUN_HOOKS_OPT_INIT".
 | |
|  */
 | |
| int run_hooks(const char *hook_name);
 | |
| 
 | |
| /**
 | |
|  * Like run_hooks(), a wrapper for run_hooks_opt().
 | |
|  *
 | |
|  * In addition to the wrapping behavior provided by run_hooks(), this
 | |
|  * wrapper takes a list of strings terminated by a NULL
 | |
|  * argument. These things will be used as positional arguments to the
 | |
|  * hook. This function behaves like the old run_hook_le() API.
 | |
|  */
 | |
| int run_hooks_l(const char *hook_name, ...);
 | |
| #endif
 |