2016-11-03 17:16:01 -05:00
|
|
|
// Copyright 2015 The Gogs Authors. All rights reserved.
|
2019-04-19 07:17:27 -05:00
|
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
2022-11-27 13:20:29 -05:00
|
|
|
// SPDX-License-Identifier: MIT
|
2016-11-03 17:16:01 -05:00
|
|
|
|
|
|
|
package git
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2022-08-14 20:22:13 -05:00
|
|
|
"encoding/hex"
|
|
|
|
"fmt"
|
2021-03-03 19:48:19 -05:00
|
|
|
"io"
|
2016-11-03 17:16:01 -05:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
2021-06-26 06:28:55 -05:00
|
|
|
|
2022-07-30 03:09:04 -05:00
|
|
|
"code.gitea.io/gitea/modules/cache"
|
2021-06-26 06:28:55 -05:00
|
|
|
"code.gitea.io/gitea/modules/setting"
|
2016-11-03 17:16:01 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
// GetBranchCommitID returns last commit ID string of given branch.
|
|
|
|
func (repo *Repository) GetBranchCommitID(name string) (string, error) {
|
2018-01-19 01:18:51 -05:00
|
|
|
return repo.GetRefCommitID(BranchPrefix + name)
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetTagCommitID returns last commit ID string of given tag.
|
|
|
|
func (repo *Repository) GetTagCommitID(name string) (string, error) {
|
2021-04-14 09:22:37 -05:00
|
|
|
return repo.GetRefCommitID(TagPrefix + name)
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2019-08-05 15:39:39 -05:00
|
|
|
// GetCommit returns commit object of by ID string.
|
|
|
|
func (repo *Repository) GetCommit(commitID string) (*Commit, error) {
|
|
|
|
id, err := repo.ConvertToSHA1(commitID)
|
2016-11-03 17:16:01 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return repo.getCommit(id)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetBranchCommit returns the last commit of given branch.
|
|
|
|
func (repo *Repository) GetBranchCommit(name string) (*Commit, error) {
|
|
|
|
commitID, err := repo.GetBranchCommitID(name)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return repo.GetCommit(commitID)
|
|
|
|
}
|
|
|
|
|
2016-12-22 04:30:52 -05:00
|
|
|
// GetTagCommit get the commit of the specific tag via name
|
2016-11-03 17:16:01 -05:00
|
|
|
func (repo *Repository) GetTagCommit(name string) (*Commit, error) {
|
|
|
|
commitID, err := repo.GetTagCommitID(name)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return repo.GetCommit(commitID)
|
|
|
|
}
|
|
|
|
|
2016-12-22 04:30:52 -05:00
|
|
|
func (repo *Repository) getCommitByPathWithID(id SHA1, relpath string) (*Commit, error) {
|
2016-11-03 17:16:01 -05:00
|
|
|
// File name starts with ':' must be escaped.
|
|
|
|
if relpath[0] == ':' {
|
|
|
|
relpath = `\` + relpath
|
|
|
|
}
|
|
|
|
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, runErr := NewCommand(repo.Ctx, "log", "-1", prettyLogFormat).AddDynamicArguments(id.String()).AddDashesAndList(relpath).RunStdString(&RunOpts{Dir: repo.Path})
|
2022-03-31 21:55:30 -05:00
|
|
|
if runErr != nil {
|
|
|
|
return nil, runErr
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2022-03-31 21:55:30 -05:00
|
|
|
id, err := NewIDFromString(stdout)
|
2016-11-03 17:16:01 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return repo.getCommit(id)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetCommitByPath returns the last commit of relative path.
|
|
|
|
func (repo *Repository) GetCommitByPath(relpath string) (*Commit, error) {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, runErr := NewCommand(repo.Ctx, "log", "-1", prettyLogFormat).AddDashesAndList(relpath).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2022-03-31 21:55:30 -05:00
|
|
|
if runErr != nil {
|
|
|
|
return nil, runErr
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
commits, err := repo.parsePrettyFormatLogToList(stdout)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-08-09 13:08:51 -05:00
|
|
|
return commits[0], nil
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) commitsByRange(id SHA1, page, pageSize int) ([]*Commit, error) {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err := NewCommand(repo.Ctx, "log").
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
AddOptionFormat("--skip=%d", (page-1)*pageSize).AddOptionFormat("--max-count=%d", pageSize).AddArguments(prettyLogFormat).
|
2022-10-23 09:44:45 -05:00
|
|
|
AddDynamicArguments(id.String()).
|
|
|
|
RunStdBytes(&RunOpts{Dir: repo.Path})
|
2016-11-03 17:16:01 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return repo.parsePrettyFormatLogToList(stdout)
|
|
|
|
}
|
|
|
|
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) searchCommits(id SHA1, opts SearchCommitsOptions) ([]*Commit, error) {
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
// add common arguments to git command
|
|
|
|
addCommonSearchArgs := func(c *Command) {
|
|
|
|
// ignore case
|
|
|
|
c.AddArguments("-i")
|
|
|
|
|
|
|
|
// add authors if present in search query
|
|
|
|
if len(opts.Authors) > 0 {
|
|
|
|
for _, v := range opts.Authors {
|
|
|
|
c.AddOptionFormat("--author=%s", v)
|
|
|
|
}
|
|
|
|
}
|
2020-06-11 16:44:39 -05:00
|
|
|
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
// add committers if present in search query
|
|
|
|
if len(opts.Committers) > 0 {
|
|
|
|
for _, v := range opts.Committers {
|
|
|
|
c.AddOptionFormat("--committer=%s", v)
|
|
|
|
}
|
2019-04-11 21:28:44 -05:00
|
|
|
}
|
2020-06-11 16:44:39 -05:00
|
|
|
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
// add time constraints if present in search query
|
|
|
|
if len(opts.After) > 0 {
|
|
|
|
c.AddOptionFormat("--after=%s", opts.After)
|
|
|
|
}
|
|
|
|
if len(opts.Before) > 0 {
|
|
|
|
c.AddOptionFormat("--before=%s", opts.Before)
|
2019-04-11 21:28:44 -05:00
|
|
|
}
|
|
|
|
}
|
2020-06-11 16:44:39 -05:00
|
|
|
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
// create new git log command with limit of 100 commits
|
|
|
|
cmd := NewCommand(repo.Ctx, "log", "-100", prettyLogFormat).AddDynamicArguments(id.String())
|
2020-06-11 16:44:39 -05:00
|
|
|
|
|
|
|
// pretend that all refs along with HEAD were listed on command line as <commis>
|
|
|
|
// https://git-scm.com/docs/git-log#Documentation/git-log.txt---all
|
|
|
|
// note this is done only for command created above
|
2019-04-11 21:28:44 -05:00
|
|
|
if opts.All {
|
2020-06-11 16:44:39 -05:00
|
|
|
cmd.AddArguments("--all")
|
2019-09-02 18:38:04 -05:00
|
|
|
}
|
2020-06-11 16:44:39 -05:00
|
|
|
|
|
|
|
// add remaining keywords from search string
|
|
|
|
// note this is done only for command created above
|
2019-09-02 18:38:04 -05:00
|
|
|
if len(opts.Keywords) > 0 {
|
|
|
|
for _, v := range opts.Keywords {
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
cmd.AddOptionFormat("--grep=%s", v)
|
2019-09-02 18:38:04 -05:00
|
|
|
}
|
2017-02-05 09:43:28 -05:00
|
|
|
}
|
2020-06-11 16:44:39 -05:00
|
|
|
|
|
|
|
// search for commits matching given constraints and keywords in commit msg
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
addCommonSearchArgs(cmd)
|
2022-03-31 21:55:30 -05:00
|
|
|
stdout, _, err := cmd.RunStdBytes(&RunOpts{Dir: repo.Path})
|
2016-11-03 17:16:01 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-09-02 18:38:04 -05:00
|
|
|
if len(stdout) != 0 {
|
|
|
|
stdout = append(stdout, '\n')
|
|
|
|
}
|
2020-06-11 16:44:39 -05:00
|
|
|
|
2021-07-08 06:38:13 -05:00
|
|
|
// if there are any keywords (ie not committer:, author:, time:)
|
2020-06-11 16:44:39 -05:00
|
|
|
// then let's iterate over them
|
2019-09-02 18:38:04 -05:00
|
|
|
if len(opts.Keywords) > 0 {
|
|
|
|
for _, v := range opts.Keywords {
|
2022-10-17 09:40:37 -05:00
|
|
|
// ignore anything not matching a valid sha pattern
|
|
|
|
if IsValidSHAPattern(v) {
|
2020-06-11 16:44:39 -05:00
|
|
|
// create new git log command with 1 commit limit
|
2022-02-06 14:01:47 -05:00
|
|
|
hashCmd := NewCommand(repo.Ctx, "log", "-1", prettyLogFormat)
|
2020-06-11 16:44:39 -05:00
|
|
|
// add previous arguments except for --grep and --all
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
addCommonSearchArgs(hashCmd)
|
2020-06-11 16:44:39 -05:00
|
|
|
// add keyword as <commit>
|
2022-10-15 05:49:26 -05:00
|
|
|
hashCmd.AddDynamicArguments(v)
|
2020-06-11 16:44:39 -05:00
|
|
|
|
|
|
|
// search with given constraints for commit matching sha hash of v
|
2022-03-31 21:55:30 -05:00
|
|
|
hashMatching, _, err := hashCmd.RunStdBytes(&RunOpts{Dir: repo.Path})
|
2019-09-02 18:38:04 -05:00
|
|
|
if err != nil || bytes.Contains(stdout, hashMatching) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
stdout = append(stdout, hashMatching...)
|
|
|
|
stdout = append(stdout, '\n')
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return repo.parsePrettyFormatLogToList(bytes.TrimSuffix(stdout, []byte{'\n'}))
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2019-04-17 11:06:35 -05:00
|
|
|
func (repo *Repository) getFilesChanged(id1, id2 string) ([]string, error) {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err := NewCommand(repo.Ctx, "diff", "--name-only").AddDynamicArguments(id1, id2).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2016-11-03 17:16:01 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return strings.Split(string(stdout), "\n"), nil
|
|
|
|
}
|
|
|
|
|
2019-04-17 11:06:35 -05:00
|
|
|
// FileChangedBetweenCommits Returns true if the file changed between commit IDs id1 and id2
|
2019-08-05 15:39:39 -05:00
|
|
|
// You must ensure that id1 and id2 are valid commit ids.
|
2019-04-17 11:06:35 -05:00
|
|
|
func (repo *Repository) FileChangedBetweenCommits(filename, id1, id2 string) (bool, error) {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err := NewCommand(repo.Ctx, "diff", "--name-only", "-z").AddDynamicArguments(id1, id2).AddDashesAndList(filename).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2019-04-17 11:06:35 -05:00
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
return len(strings.TrimSpace(string(stdout))) > 0, nil
|
|
|
|
}
|
|
|
|
|
2021-07-08 06:38:13 -05:00
|
|
|
// FileCommitsCount return the number of files at a revision
|
2016-11-03 17:16:01 -05:00
|
|
|
func (repo *Repository) FileCommitsCount(revision, file string) (int64, error) {
|
2022-01-19 18:26:57 -05:00
|
|
|
return CommitsCountFiles(repo.Ctx, repo.Path, []string{revision}, []string{file})
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2021-07-08 06:38:13 -05:00
|
|
|
// CommitsByFileAndRange return the commits according revision file and the page
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) CommitsByFileAndRange(revision, file string, page int) ([]*Commit, error) {
|
2021-06-26 06:28:55 -05:00
|
|
|
skip := (page - 1) * setting.Git.CommitsRangeSize
|
2021-03-03 19:48:19 -05:00
|
|
|
|
|
|
|
stdoutReader, stdoutWriter := io.Pipe()
|
|
|
|
defer func() {
|
|
|
|
_ = stdoutReader.Close()
|
|
|
|
_ = stdoutWriter.Close()
|
|
|
|
}()
|
|
|
|
go func() {
|
|
|
|
stderr := strings.Builder{}
|
2022-10-23 09:44:45 -05:00
|
|
|
gitCmd := NewCommand(repo.Ctx, "rev-list").
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
AddOptionFormat("--max-count=%d", setting.Git.CommitsRangeSize*page).
|
|
|
|
AddOptionFormat("--skip=%d", skip)
|
2022-10-15 05:49:26 -05:00
|
|
|
gitCmd.AddDynamicArguments(revision)
|
2022-10-23 09:44:45 -05:00
|
|
|
gitCmd.AddDashesAndList(file)
|
2022-10-15 05:49:26 -05:00
|
|
|
err := gitCmd.Run(&RunOpts{
|
|
|
|
Dir: repo.Path,
|
|
|
|
Stdout: stdoutWriter,
|
|
|
|
Stderr: &stderr,
|
|
|
|
})
|
2021-03-03 19:48:19 -05:00
|
|
|
if err != nil {
|
|
|
|
_ = stdoutWriter.CloseWithError(ConcatenateError(err, (&stderr).String()))
|
|
|
|
} else {
|
|
|
|
_ = stdoutWriter.Close()
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
2022-08-14 20:22:13 -05:00
|
|
|
commits := []*Commit{}
|
|
|
|
shaline := [41]byte{}
|
|
|
|
var sha1 SHA1
|
|
|
|
for {
|
|
|
|
n, err := io.ReadFull(stdoutReader, shaline[:])
|
|
|
|
if err != nil || n < 40 {
|
2021-03-03 19:48:19 -05:00
|
|
|
if err == io.EOF {
|
2022-08-14 20:22:13 -05:00
|
|
|
err = nil
|
2021-03-03 19:48:19 -05:00
|
|
|
}
|
2022-08-14 20:22:13 -05:00
|
|
|
return commits, err
|
|
|
|
}
|
|
|
|
n, err = hex.Decode(sha1[:], shaline[0:40])
|
|
|
|
if n != 20 {
|
|
|
|
err = fmt.Errorf("invalid sha %q", string(shaline[:40]))
|
|
|
|
}
|
|
|
|
if err != nil {
|
2021-03-03 19:48:19 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
2022-08-14 20:22:13 -05:00
|
|
|
commit, err := repo.getCommit(sha1)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
commits = append(commits, commit)
|
2021-03-03 19:48:19 -05:00
|
|
|
}
|
2019-07-11 09:45:10 -05:00
|
|
|
}
|
|
|
|
|
2016-12-22 04:30:52 -05:00
|
|
|
// FilesCountBetween return the number of files changed between two commits
|
2016-11-03 17:16:01 -05:00
|
|
|
func (repo *Repository) FilesCountBetween(startCommitID, endCommitID string) (int, error) {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err := NewCommand(repo.Ctx, "diff", "--name-only").AddDynamicArguments(startCommitID + "..." + endCommitID).RunStdString(&RunOpts{Dir: repo.Path})
|
2020-07-29 12:53:04 -05:00
|
|
|
if err != nil && strings.Contains(err.Error(), "no merge base") {
|
|
|
|
// git >= 2.28 now returns an error if startCommitID and endCommitID have become unrelated.
|
|
|
|
// previously it would return the results of git diff --name-only startCommitID endCommitID so let's try that...
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "diff", "--name-only").AddDynamicArguments(startCommitID, endCommitID).RunStdString(&RunOpts{Dir: repo.Path})
|
2020-07-29 12:53:04 -05:00
|
|
|
}
|
2016-11-03 17:16:01 -05:00
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
return len(strings.Split(stdout, "\n")) - 1, nil
|
|
|
|
}
|
|
|
|
|
2021-06-30 12:49:06 -05:00
|
|
|
// CommitsBetween returns a list that contains commits between [before, last).
|
|
|
|
// If before is detached (removed by reset + push) it is not included.
|
2021-12-19 23:41:31 -05:00
|
|
|
func (repo *Repository) CommitsBetween(last, before *Commit) ([]*Commit, error) {
|
2019-12-30 18:34:11 -05:00
|
|
|
var stdout []byte
|
|
|
|
var err error
|
|
|
|
if before == nil {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(last.ID.String()).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2019-12-30 18:34:11 -05:00
|
|
|
} else {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(before.ID.String() + ".." + last.ID.String()).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2020-07-29 12:53:04 -05:00
|
|
|
if err != nil && strings.Contains(err.Error(), "no merge base") {
|
|
|
|
// future versions of git >= 2.28 are likely to return an error if before and last have become unrelated.
|
|
|
|
// previously it would return the results of git rev-list before last so let's try that...
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(before.ID.String(), last.ID.String()).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2020-07-29 12:53:04 -05:00
|
|
|
}
|
2019-12-30 18:34:11 -05:00
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return repo.parsePrettyFormatLogToList(bytes.TrimSpace(stdout))
|
|
|
|
}
|
|
|
|
|
2021-06-30 12:49:06 -05:00
|
|
|
// CommitsBetweenLimit returns a list that contains at most limit commits skipping the first skip commits between [before, last)
|
2021-12-19 23:41:31 -05:00
|
|
|
func (repo *Repository) CommitsBetweenLimit(last, before *Commit, limit, skip int) ([]*Commit, error) {
|
2019-12-30 18:34:11 -05:00
|
|
|
var stdout []byte
|
|
|
|
var err error
|
|
|
|
if before == nil {
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").
|
|
|
|
AddOptionValues("--max-count", strconv.Itoa(limit)).
|
|
|
|
AddOptionValues("--skip", strconv.Itoa(skip)).
|
2022-10-23 09:44:45 -05:00
|
|
|
AddDynamicArguments(last.ID.String()).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2019-12-30 18:34:11 -05:00
|
|
|
} else {
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").
|
|
|
|
AddOptionValues("--max-count", strconv.Itoa(limit)).
|
|
|
|
AddOptionValues("--skip", strconv.Itoa(skip)).
|
2022-10-23 09:44:45 -05:00
|
|
|
AddDynamicArguments(before.ID.String() + ".." + last.ID.String()).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2020-07-29 12:53:04 -05:00
|
|
|
if err != nil && strings.Contains(err.Error(), "no merge base") {
|
|
|
|
// future versions of git >= 2.28 are likely to return an error if before and last have become unrelated.
|
|
|
|
// previously it would return the results of git rev-list --max-count n before last so let's try that...
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").
|
|
|
|
AddOptionValues("--max-count", strconv.Itoa(limit)).
|
|
|
|
AddOptionValues("--skip", strconv.Itoa(skip)).
|
2022-10-23 09:44:45 -05:00
|
|
|
AddDynamicArguments(before.ID.String(), last.ID.String()).RunStdBytes(&RunOpts{Dir: repo.Path})
|
2020-07-29 12:53:04 -05:00
|
|
|
}
|
2019-12-30 18:34:11 -05:00
|
|
|
}
|
2017-10-23 08:36:14 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
2017-10-23 08:36:14 -05:00
|
|
|
return repo.parsePrettyFormatLogToList(bytes.TrimSpace(stdout))
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2023-03-09 13:14:22 -05:00
|
|
|
// CommitsBetweenNotBase returns a list that contains commits between [before, last), excluding commits in baseBranch.
|
|
|
|
// If before is detached (removed by reset + push) it is not included.
|
|
|
|
func (repo *Repository) CommitsBetweenNotBase(last, before *Commit, baseBranch string) ([]*Commit, error) {
|
|
|
|
var stdout []byte
|
|
|
|
var err error
|
|
|
|
if before == nil {
|
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(last.ID.String()).AddOptionValues("--not", baseBranch).RunStdBytes(&RunOpts{Dir: repo.Path})
|
|
|
|
} else {
|
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(before.ID.String()+".."+last.ID.String()).AddOptionValues("--not", baseBranch).RunStdBytes(&RunOpts{Dir: repo.Path})
|
|
|
|
if err != nil && strings.Contains(err.Error(), "no merge base") {
|
|
|
|
// future versions of git >= 2.28 are likely to return an error if before and last have become unrelated.
|
|
|
|
// previously it would return the results of git rev-list before last so let's try that...
|
|
|
|
stdout, _, err = NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(before.ID.String(), last.ID.String()).AddOptionValues("--not", baseBranch).RunStdBytes(&RunOpts{Dir: repo.Path})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return repo.parsePrettyFormatLogToList(bytes.TrimSpace(stdout))
|
|
|
|
}
|
|
|
|
|
2016-12-22 04:30:52 -05:00
|
|
|
// CommitsBetweenIDs return commits between twoe commits
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) CommitsBetweenIDs(last, before string) ([]*Commit, error) {
|
2016-11-03 17:16:01 -05:00
|
|
|
lastCommit, err := repo.GetCommit(last)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-12-30 18:34:11 -05:00
|
|
|
if before == "" {
|
|
|
|
return repo.CommitsBetween(lastCommit, nil)
|
|
|
|
}
|
2016-11-03 17:16:01 -05:00
|
|
|
beforeCommit, err := repo.GetCommit(before)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return repo.CommitsBetween(lastCommit, beforeCommit)
|
|
|
|
}
|
|
|
|
|
2016-12-22 04:30:52 -05:00
|
|
|
// CommitsCountBetween return numbers of commits between two commits
|
2016-11-03 17:16:01 -05:00
|
|
|
func (repo *Repository) CommitsCountBetween(start, end string) (int64, error) {
|
2022-01-19 18:26:57 -05:00
|
|
|
count, err := CommitsCountFiles(repo.Ctx, repo.Path, []string{start + ".." + end}, []string{})
|
2020-07-29 12:53:04 -05:00
|
|
|
if err != nil && strings.Contains(err.Error(), "no merge base") {
|
|
|
|
// future versions of git >= 2.28 are likely to return an error if before and last have become unrelated.
|
|
|
|
// previously it would return the results of git rev-list before last so let's try that...
|
2022-01-19 18:26:57 -05:00
|
|
|
return CommitsCountFiles(repo.Ctx, repo.Path, []string{start, end}, []string{})
|
2020-07-29 12:53:04 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return count, err
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2016-12-22 04:30:52 -05:00
|
|
|
// commitsBefore the limit is depth, not total number of returned commits.
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) commitsBefore(id SHA1, limit int) ([]*Commit, error) {
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
cmd := NewCommand(repo.Ctx, "log", prettyLogFormat)
|
2017-12-10 21:23:34 -05:00
|
|
|
if limit > 0 {
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
cmd.AddOptionFormat("-%d", limit)
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
cmd.AddDynamicArguments(id.String())
|
2016-11-03 17:16:01 -05:00
|
|
|
|
2022-03-31 21:55:30 -05:00
|
|
|
stdout, _, runErr := cmd.RunStdBytes(&RunOpts{Dir: repo.Path})
|
|
|
|
if runErr != nil {
|
|
|
|
return nil, runErr
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2017-12-10 21:23:34 -05:00
|
|
|
formattedLog, err := repo.parsePrettyFormatLogToList(bytes.TrimSpace(stdout))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2021-08-09 13:08:51 -05:00
|
|
|
commits := make([]*Commit, 0, len(formattedLog))
|
|
|
|
for _, commit := range formattedLog {
|
2017-12-10 21:23:34 -05:00
|
|
|
branches, err := repo.getBranches(commit, 2)
|
2016-11-03 17:16:01 -05:00
|
|
|
if err != nil {
|
2017-12-10 21:23:34 -05:00
|
|
|
return nil, err
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
2017-12-10 21:23:34 -05:00
|
|
|
|
|
|
|
if len(branches) > 1 {
|
|
|
|
break
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
2017-12-10 21:23:34 -05:00
|
|
|
|
2021-08-09 13:08:51 -05:00
|
|
|
commits = append(commits, commit)
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2017-12-10 21:23:34 -05:00
|
|
|
return commits, nil
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) getCommitsBefore(id SHA1) ([]*Commit, error) {
|
2017-12-10 21:23:34 -05:00
|
|
|
return repo.commitsBefore(id, 0)
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
|
|
|
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) getCommitsBeforeLimit(id SHA1, num int) ([]*Commit, error) {
|
2017-12-10 21:23:34 -05:00
|
|
|
return repo.commitsBefore(id, num)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (repo *Repository) getBranches(commit *Commit, limit int) ([]string, error) {
|
2020-10-21 10:42:08 -05:00
|
|
|
if CheckGitVersionAtLeast("2.7.0") == nil {
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
stdout, _, err := NewCommand(repo.Ctx, "for-each-ref", "--format=%(refname:strip=2)").
|
|
|
|
AddOptionFormat("--count=%d", limit).
|
|
|
|
AddOptionValues("--contains", commit.ID.String(), BranchPrefix).
|
2022-10-23 09:44:45 -05:00
|
|
|
RunStdString(&RunOpts{Dir: repo.Path})
|
2018-05-27 13:47:34 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
branches := strings.Fields(stdout)
|
|
|
|
return branches, nil
|
|
|
|
}
|
|
|
|
|
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-03 21:30:43 -05:00
|
|
|
stdout, _, err := NewCommand(repo.Ctx, "branch").AddOptionValues("--contains", commit.ID.String()).RunStdString(&RunOpts{Dir: repo.Path})
|
2017-12-10 21:23:34 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
refs := strings.Split(stdout, "\n")
|
2018-05-27 13:47:34 -05:00
|
|
|
|
|
|
|
var max int
|
|
|
|
if len(refs) > limit {
|
|
|
|
max = limit
|
|
|
|
} else {
|
|
|
|
max = len(refs) - 1
|
|
|
|
}
|
|
|
|
|
|
|
|
branches := make([]string, max)
|
|
|
|
for i, ref := range refs[:max] {
|
|
|
|
parts := strings.Fields(ref)
|
|
|
|
|
|
|
|
branches[i] = parts[len(parts)-1]
|
2017-12-10 21:23:34 -05:00
|
|
|
}
|
|
|
|
return branches, nil
|
2016-11-03 17:16:01 -05:00
|
|
|
}
|
2020-05-20 07:47:24 -05:00
|
|
|
|
|
|
|
// GetCommitsFromIDs get commits from commit IDs
|
2021-08-09 13:08:51 -05:00
|
|
|
func (repo *Repository) GetCommitsFromIDs(commitIDs []string) []*Commit {
|
|
|
|
commits := make([]*Commit, 0, len(commitIDs))
|
2020-05-20 07:47:24 -05:00
|
|
|
|
|
|
|
for _, commitID := range commitIDs {
|
|
|
|
commit, err := repo.GetCommit(commitID)
|
|
|
|
if err == nil && commit != nil {
|
2021-08-09 13:08:51 -05:00
|
|
|
commits = append(commits, commit)
|
2020-05-20 07:47:24 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return commits
|
|
|
|
}
|
2021-03-03 22:41:23 -05:00
|
|
|
|
|
|
|
// IsCommitInBranch check if the commit is on the branch
|
|
|
|
func (repo *Repository) IsCommitInBranch(commitID, branch string) (r bool, err error) {
|
2022-10-23 09:44:45 -05:00
|
|
|
stdout, _, err := NewCommand(repo.Ctx, "branch", "--contains").AddDynamicArguments(commitID, branch).RunStdString(&RunOpts{Dir: repo.Path})
|
2021-03-03 22:41:23 -05:00
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
return len(stdout) > 0, err
|
|
|
|
}
|
2022-07-30 03:09:04 -05:00
|
|
|
|
|
|
|
func (repo *Repository) AddLastCommitCache(cacheKey, fullName, sha string) error {
|
|
|
|
if repo.LastCommitCache == nil {
|
|
|
|
commitsCount, err := cache.GetInt64(cacheKey, func() (int64, error) {
|
|
|
|
commit, err := repo.GetCommit(sha)
|
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
return commit.CommitsCount()
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
repo.LastCommitCache = NewLastCommitCache(commitsCount, fullName, repo, cache.GetCache())
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|