1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-15 03:12:41 +01:00
phorge-phorge/src/applications/diffusion/engine/DiffusionCommitHookEngine.php
epriestley d2e9aee16d Reject dangerous changes in Git repositories by default
Summary: Ref T4189. This adds a per-repository "dangerous changes" flag, which defaults to off. This flag must be enabled to do non-appending branch mutation (delete branches / rewrite history).

Test Plan:
With flag on and off, performed various safe and dangerous pushes.

  >>> orbital ~/repos/POEMS $ git push origin :blarp
  remote: +---------------------------------------------------------------+
  remote: |      * * * PUSH REJECTED BY EVIL DRAGON BUREAUCRATS * * *     |
  remote: +---------------------------------------------------------------+
  remote:             \
  remote:              \                    ^    /^
  remote:               \                  / \  // \
  remote:                \   |\___/|      /   \//  .\
  remote:                 \  /V  V  \__  /    //  | \ \           *----*
  remote:                   /     /  \/_/    //   |  \  \          \   |
  remote:                   @___@`    \/_   //    |   \   \         \/\ \
  remote:                  0/0/|       \/_ //     |    \    \         \  \
  remote:              0/0/0/0/|        \///      |     \     \       |  |
  remote:           0/0/0/0/0/_|_ /   (  //       |      \     _\     |  /
  remote:        0/0/0/0/0/0/`/,_ _ _/  ) ; -.    |    _ _\.-~       /   /
  remote:                    ,-}        _      *-.|.-~-.           .~    ~
  remote:   \     \__/        `/\      /                 ~-. _ .-~      /
  remote:    \____(Oo)           *.   }            {                   /
  remote:    (    (--)          .----~-.\        \-`                 .~
  remote:    //__\\  \ DENIED!  ///.----..<        \             _ -~
  remote:   //    \\               ///-._ _ _ _ _ _ _{^ - - - - ~
  remote:
  remote:
  remote: DANGEROUS CHANGE: The change you're attempting to push deletes the branch 'blarp'.
  remote: Dangerous change protection is enabled for this repository.
  remote: Edit the repository configuration before making dangerous changes.
  remote:
  To ssh://dweller@localhost/diffusion/POEMS/
   ! [remote rejected] blarp (pre-receive hook declined)
  error: failed to push some refs to 'ssh://dweller@localhost/diffusion/POEMS/'

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, chad, richardvanvelzen

Maniphest Tasks: T4189

Differential Revision: https://secure.phabricator.com/D7689
2013-12-03 10:28:39 -08:00

258 lines
7.2 KiB
PHP

<?php
final class DiffusionCommitHookEngine extends Phobject {
private $viewer;
private $repository;
private $stdin;
private $subversionTransaction;
private $subversionRepository;
public function setSubversionTransactionInfo($transaction, $repository) {
$this->subversionTransaction = $transaction;
$this->subversionRepository = $repository;
return $this;
}
public function setStdin($stdin) {
$this->stdin = $stdin;
return $this;
}
public function getStdin() {
return $this->stdin;
}
public function setRepository(PhabricatorRepository $repository) {
$this->repository = $repository;
return $this;
}
public function getRepository() {
return $this->repository;
}
public function setViewer(PhabricatorUser $viewer) {
$this->viewer = $viewer;
return $this;
}
public function getViewer() {
return $this->viewer;
}
public function execute() {
$type = $this->getRepository()->getVersionControlSystem();
switch ($type) {
case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
$err = $this->executeGitHook();
break;
case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN:
$err = $this->executeSubversionHook();
break;
case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
$err = $this->executeMercurialHook();
break;
default:
throw new Exception(pht('Unsupported repository type "%s"!', $type));
}
return $err;
}
/**
* @task git
*/
private function executeGitHook() {
$updates = $this->parseGitUpdates($this->getStdin());
$this->rejectGitDangerousChanges($updates);
// TODO: Do cheap checks: non-ff commits, mutating refs without access,
// creating or deleting things you can't touch. We can do all non-content
// checks here.
$updates = $this->findGitNewCommits($updates);
// TODO: Now, do content checks.
return 0;
}
/**
* @task git
*/
private function parseGitUpdates($stdin) {
$updates = array();
$lines = phutil_split_lines($stdin, $retain_endings = false);
foreach ($lines as $line) {
$parts = explode(' ', $line, 3);
if (count($parts) != 3) {
throw new Exception(pht('Expected "old new ref", got "%s".', $line));
}
$update = array(
'old' => $parts[0],
'old.short' => substr($parts[0], 0, 8),
'new' => $parts[1],
'new.short' => substr($parts[1], 0, 8),
'ref' => $parts[2],
);
if (preg_match('(^refs/heads/)', $update['ref'])) {
$update['type'] = 'branch';
$update['ref.short'] = substr($update['ref'], strlen('refs/heads/'));
} else if (preg_match('(^refs/tags/)', $update['ref'])) {
$update['type'] = 'tag';
$update['ref.short'] = substr($update['ref'], strlen('refs/tags/'));
} else {
$update['type'] = 'unknown';
}
$updates[] = $update;
}
$updates = $this->findGitMergeBases($updates);
return $updates;
}
/**
* @task git
*/
private function findGitMergeBases(array $updates) {
$empty = str_repeat('0', 40);
$futures = array();
foreach ($updates as $key => $update) {
// Updates are in the form:
//
// <old hash> <new hash> <ref>
//
// If the old hash is "00000...", the ref is being created (either a new
// branch, or a new tag). If the new hash is "00000...", the ref is being
// deleted. If both are nonempty, the ref is being updated. For updates,
// we'll figure out the `merge-base` of the old and new objects here. This
// lets us reject non-FF changes cheaply; later, we'll figure out exactly
// which commits are new.
if ($update['old'] == $empty) {
$updates[$key]['operation'] = 'create';
} else if ($update['new'] == $empty) {
$updates[$key]['operation'] = 'delete';
} else {
$updates[$key]['operation'] = 'update';
$futures[$key] = $this->getRepository()->getLocalCommandFuture(
'merge-base %s %s',
$update['old'],
$update['new']);
}
}
foreach (Futures($futures)->limit(8) as $key => $future) {
list($stdout) = $future->resolvex();
$updates[$key]['merge-base'] = rtrim($stdout, "\n");
}
return $updates;
}
private function findGitNewCommits(array $updates) {
$futures = array();
foreach ($updates as $key => $update) {
if ($update['operation'] == 'delete') {
// Deleting a branch or tag can never create any new commits.
continue;
}
// NOTE: This piece of magic finds all new commits, by walking backward
// from the new value to the value of *any* existing ref in the
// repository. Particularly, this will cover the cases of a new branch, a
// completely moved tag, etc.
$futures[$key] = $this->getRepository()->getLocalCommandFuture(
'log --format=%s %s --not --all',
'%H',
$update['new']);
}
foreach (Futures($futures)->limit(8) as $key => $future) {
list($stdout) = $future->resolvex();
$commits = phutil_split_lines($stdout, $retain_newlines = false);
$updates[$key]['commits'] = $commits;
}
return $updates;
}
private function rejectGitDangerousChanges(array $updates) {
$repository = $this->getRepository();
if ($repository->shouldAllowDangerousChanges()) {
return;
}
foreach ($updates as $update) {
if ($update['type'] != 'branch') {
// For now, we don't consider deleting or moving tags to be a
// "dangerous" update. It's way harder to get wrong and should be easy
// to recover from once we have better logging.
continue;
}
if ($update['operation'] == 'create') {
// Creating a branch is never dangerous.
continue;
}
if ($update['operation'] == 'change') {
if ($update['old'] == $update['merge-base']) {
// This is a fast-forward update to an existing branch.
// These are safe.
continue;
}
}
// We either have a branch deletion or a non fast-forward branch update.
// Format a message and reject the push.
if ($update['operation'] == 'delete') {
$message = pht(
"DANGEROUS CHANGE: The change you're attempting to push deletes ".
"the branch '%s'.",
$update['ref.short']);
} else {
$message = pht(
"DANGEROUS CHANGE: The change you're attempting to push updates ".
"the branch '%s' from '%s' to '%s', but this is not a fast-forward. ".
"Pushes which rewrite published branch history are dangerous.",
$update['ref.short'],
$update['old.short'],
$update['new.short']);
}
$boilerplate = pht(
"Dangerous change protection is enabled for this repository.\n".
"Edit the repository configuration before making dangerous changes.");
$message = $message."\n".$boilerplate;
throw new DiffusionCommitHookRejectException($message);
}
}
private function executeSubversionHook() {
// TODO: Do useful things here, too.
return 0;
}
private function executeMercurialHook() {
// TODO: Here, too, useful things should be done.
return 0;
}
}