gitea

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

History

wxiaoguang 6bc3079c00 Refactor git command package to improve security and maintainability (#22678 ) This PR follows #21535 (and replace #22592) ## Review without space diff https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1 ## Purpose of this PR 1. Make git module command completely safe (risky user inputs won't be passed as argument option anymore) 2. Avoid low-level mistakes like https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918 3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg` type 4. Simplify code when using git command ## The main idea of this PR * Move the `git.CmdArg` to the `internal` package, then no other package except `git` could use it. Then developers could never do `AddArguments(git.CmdArg(userInput))` any more. * Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already trusted arguments. It's only used in a few cases, for example: use git arguments from config file, help unit test with some arguments. * Introduce `AddOptionValues` and `AddOptionFormat`, they make code more clear and simple: * Before: `AddArguments("-m").AddDynamicArguments(message)` * After: `AddOptionValues("-m", message)` * - * Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'", sig.Name, sig.Email)))` * After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)` ## FAQ ### Why these changes were not done in #21535 ? #21535 is mainly a search&replace, it did its best to not change too much logic. Making the framework better needs a lot of changes, so this separate PR is needed as the second step. ### The naming of `AddOptionXxx` According to git's manual, the `--xxx` part is called `option`. ### How can it guarantee that `internal.CmdArg` won't be not misused? Go's specification guarantees that. Trying to access other package's internal package causes compilation error. And, `golangci-lint` also denies the git/internal package. Only the `git/command.go` can use it carefully. ### There is still a `ToTrustedCmdArgs`, will it still allow developers to make mistakes and pass untrusted arguments? Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code will be very complex (see the changes for examples). Then developers and reviewers can know that something might be unreasonable. ### Why there was a `CmdArgCheck` and why it's removed? At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck` was introduced as a hacky patch. Now, almost all code could be written as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for `CmdArgCheck` anymore. ### Why many codes for `signArg == ""` is deleted? Because in the old code, `signArg` could never be empty string, it's either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just dead code. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>		2 years ago
..
actions	Fix actions workflow branches match bug (#22724 )	2 years ago
activitypub	Remove deprecated packages & staticcheck fixes (#22012 )	2 years ago
analyze	Implement FSFE REUSE for golang files (#21840 )	2 years ago
auth	Fix bugs with WebAuthn preventing sign in and registration. (#22651 )	2 years ago
avatar	Unify hashing for avatar (#22289 )	2 years ago
base	Implement FSFE REUSE for golang files (#21840 )	2 years ago
cache	Fix get system setting bug when enabled redis cache (#22295 )	2 years ago
charset	Fix line spacing for plaintext previews (#22699 )	2 years ago
container	Implement FSFE REUSE for golang files (#21840 )	2 years ago
context	Implement actions (#21937 )	2 years ago
csv	Implement FSFE REUSE for golang files (#21840 )	2 years ago
doctor	Add cron method to gc LFS MetaObjects (#22385 )	2 years ago
emoji	Fix unstable emoji sort (#22346 )	2 years ago
eventsource	Move `convert` package to services (#22264 )	2 years ago
generate	Implement FSFE REUSE for golang files (#21840 )	2 years ago
git	Refactor git command package to improve security and maintainability (#22678 )	2 years ago
gitgraph	Refactor git command package to improve security and maintainability (#22678 )	2 years ago
graceful	Implement FSFE REUSE for golang files (#21840 )	2 years ago
hcaptcha	Consume hcaptcha and pwn deps (#22610 )	2 years ago
highlight	Implement FSFE REUSE for golang files (#21840 )	2 years ago
hostmatcher	Implement FSFE REUSE for golang files (#21840 )	2 years ago
html	Implement FSFE REUSE for golang files (#21840 )	2 years ago
httpcache	Add some comments for recent code (#22725 )	2 years ago
httplib	Implement FSFE REUSE for golang files (#21840 )	2 years ago
indexer	refactor some functions to support ctx as first parameter (#21878 )	2 years ago
issue/template	Allow issue templates to not render title (#22589 )	2 years ago
json	Update gitea-vet to check FSFE REUSE (#22004 )	2 years ago
lfs	Implement FSFE REUSE for golang files (#21840 )	2 years ago
log	Improve trace logging for pulls and processes (#22633 )	2 years ago
markup	Fix README TOC links (#22577 )	2 years ago
mcaptcha	Implement FSFE REUSE for golang files (#21840 )	2 years ago
metrics	Implement FSFE REUSE for golang files (#21840 )	2 years ago
migration	Show migration validation error (#22619 )	2 years ago
mirror	Implement FSFE REUSE for golang files (#21840 )	2 years ago
nosql	Implement FSFE REUSE for golang files (#21840 )	2 years ago
notification	Implement actions (#21937 )	2 years ago
options	Implement FSFE REUSE for golang files (#21840 )	2 years ago
packages	Add Conda package registry (#22262 )	2 years ago
paginator	Update gitea-vet to check FSFE REUSE (#22004 )	2 years ago
password	Consume hcaptcha and pwn deps (#22610 )	2 years ago
pprof	Implement FSFE REUSE for golang files (#21840 )	2 years ago
private	Implement actions (#21937 )	2 years ago
process	Improve trace logging for pulls and processes (#22633 )	2 years ago
proxy	Implement FSFE REUSE for golang files (#21840 )	2 years ago
proxyprotocol	Implement FSFE REUSE for golang files (#21840 )	2 years ago
public	Implement FSFE REUSE for golang files (#21840 )	2 years ago
queue	Correctly handle select on multiple channels in Queues (#22146 )	2 years ago
recaptcha	Implement FSFE REUSE for golang files (#21840 )	2 years ago
references	Use correct captured group range when parsing cross-reference (#22672 )	2 years ago
regexplru	Implement FSFE REUSE for golang files (#21840 )	2 years ago
repository	Refactor git command package to improve security and maintainability (#22678 )	2 years ago
secret	Implement FSFE REUSE for golang files (#21840 )	2 years ago
session	Update gitea-vet to check FSFE REUSE (#22004 )	2 years ago
setting	Use native error checking with `exec.ErrDot` (#22735 )	2 years ago
sitemap	Fix sitemap (#22272 )	2 years ago
ssh	Implement FSFE REUSE for golang files (#21840 )	2 years ago
storage	Implement actions (#21937 )	2 years ago
structs	Implement actions (#21937 )	2 years ago
svg	Implement FSFE REUSE for golang files (#21840 )	2 years ago
sync	Implement FSFE REUSE for golang files (#21840 )	2 years ago
system	Implement FSFE REUSE for golang files (#21840 )	2 years ago
templates	Implement actions (#21937 )	2 years ago
test	refactor some functions to support ctx as first parameter (#21878 )	2 years ago
timeutil	Check for zero time instant in `TimeStamp.IsZero()` (#22171 )	2 years ago
translation	Implement FSFE REUSE for golang files (#21840 )	2 years ago
typesniffer	Implement FSFE REUSE for golang files (#21840 )	2 years ago
updatechecker	Implement FSFE REUSE for golang files (#21840 )	2 years ago
upload	Implement FSFE REUSE for golang files (#21840 )	2 years ago
uri	Implement FSFE REUSE for golang files (#21840 )	2 years ago
user	Implement FSFE REUSE for golang files (#21840 )	2 years ago
util	Improve checkIfPRContentChanged (#22611 )	2 years ago
validation	Implement FSFE REUSE for golang files (#21840 )	2 years ago
watcher	Implement FSFE REUSE for golang files (#21840 )	2 years ago
web	refactor bind functions based on generics (#22055 )	2 years ago
webhook	Restructure `webhook` module (#22256 )	2 years ago