| Commit info | |
|---|---|
| ID | f401f0be89cf5ca29278cc836cdb50faca4613aa |
| Author | Runxi Yu<me@runxiyu.org> |
| Author date | Fri, 07 Mar 2025 15:15:29 +0800 |
| Committer | Runxi Yu<me@runxiyu.org> |
| Committer date | Fri, 07 Mar 2025 15:15:29 +0800 |
| Actions | Get patch |
hooks: Send/process environment variables starting with GIT_
/*
* SPDX-License-Identifier: AGPL-3.0-only
* SPDX-FileContributor: Runxi Yu <https://runxiyu.org>
* SPDX-FileContributor: Test_User <hax@runxiyu.org>
*/
#include <errno.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <string.h>
#include <fcntl.h>
#include <signal.h>
int main(int argc, char *argv[]) {
if (signal(SIGPIPE, SIG_IGN) == SIG_ERR) {
perror("signal");
return EXIT_FAILURE;
}
const char *socket_path = getenv("LINDENII_FORGE_HOOKS_SOCKET_PATH");
if (socket_path == NULL) {
dprintf(STDERR_FILENO, "environment variable LINDENII_FORGE_HOOKS_SOCKET_PATH undefined\n");
return EXIT_FAILURE;
}
const char *cookie = getenv("LINDENII_FORGE_HOOKS_COOKIE");
if (cookie == NULL) {
dprintf(STDERR_FILENO, "environment variable LINDENII_FORGE_HOOKS_COOKIE undefined\n");
return EXIT_FAILURE;
}
if (strlen(cookie) != 64) {
dprintf(STDERR_FILENO, "environment variable LINDENII_FORGE_HOOKS_COOKIE is not 64 characters long\n");
return EXIT_FAILURE;
}
/*
* All hooks in git (see builtin/receive-pack.c) use a pipe by setting
* .in = -1 on the child_process struct, which enables us to use
* splice(2) to move the data to the UNIX domain socket. Just to be
* safe, we check that stdin is a pipe; and additionally we fetch the
* buffer size of the pipe to use as the maximum size for the splice.
*
* We connect to the UNIX domain socket after ensuring that standard
* input matches our expectations.
*/
struct stat stdin_stat;
if (fstat(STDIN_FILENO, &stdin_stat) == -1) {
perror("fstat on stdin");
return EXIT_FAILURE;
}
if (!S_ISFIFO(stdin_stat.st_mode)) {
dprintf(STDERR_FILENO, "stdin must be a pipe\n");
return EXIT_FAILURE;
}
int stdin_pipe_size = fcntl(STDIN_FILENO, F_GETPIPE_SZ);
if (stdin_pipe_size == -1) {
perror("fcntl on stdin");
return EXIT_FAILURE;
}
/*
* ... And we do the same for stderr. Later we will splice from the
* socket to stderr, to let the daemon report back to the user.
*/
struct stat stderr_stat;
if (fstat(STDERR_FILENO, &stderr_stat) == -1) {
perror("fstat on stderr");
return EXIT_FAILURE;
}
if (!S_ISFIFO(stderr_stat.st_mode)) {
dprintf(STDERR_FILENO, "stderr must be a pipe\n");
return EXIT_FAILURE;
}
int stderr_pipe_size = fcntl(STDERR_FILENO, F_GETPIPE_SZ);
if (stderr_pipe_size == -1) {
perror("fcntl on stderr");
return EXIT_FAILURE;
}
/*
* Now that we know that stdin and stderr are pipes, we can connect to
* the UNIX domain socket. We don't do this earlier because we don't
* want to create unnecessary connections if the hook was called
* inappropriately (such as by a user with shell access in their
* terminal).
*/
int sock;
struct sockaddr_un addr;
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock == -1) {
perror("internal socket creation");
return EXIT_FAILURE;
}
memset(&addr, 0, sizeof(struct sockaddr_un));
addr.sun_family = AF_UNIX;
strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
if (connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) == -1) {
perror("internal socket connect");
close(sock);
return EXIT_FAILURE;
}
/*
* We first send the 64-byte cookie to the UNIX domain socket
*/
ssize_t cookie_bytes_sent = send(sock, cookie, 64, 0);
switch (cookie_bytes_sent) {
case -1:
perror("send cookie");
close(sock);
return EXIT_FAILURE;
case 64:
break;
default:
dprintf(STDERR_FILENO, "send returned unexpected value on internal socket\n");
close(sock);
return EXIT_FAILURE;
}
/*
* Next we can report argc and argv to the UNIX domain socket.
*/
uint64_t argc64 = (uint64_t)argc;
ssize_t bytes_sent = send(sock, &argc64, sizeof(argc64), 0);
switch (bytes_sent) {
case -1:
perror("send argc");
close(sock);
return EXIT_FAILURE;
case sizeof(argc64):
break;
default:
dprintf(STDERR_FILENO, "send returned unexpected value on internal socket\n");
close(sock);
return EXIT_FAILURE;
}
for (int i = 0; i < argc; i++) {
unsigned long len = strlen(argv[i]) + 1;
bytes_sent = send(sock, argv[i], len, 0);
if (bytes_sent == -1) {
perror("send argv");
close(sock);
exit(EXIT_FAILURE);
} else if ((unsigned long)bytes_sent == len) {
} else {
dprintf(STDERR_FILENO, "send returned unexpected value on internal socket\n");
close(sock);
exit(EXIT_FAILURE);
}
}
/*
* Then send all environment variables that begin with "GIT_"
*/
extern char **environ;
for (char **env = environ; *env != NULL; env++) {
if (strncmp(*env, "GIT_", 4) == 0) {
unsigned long len = strlen(*env) + 1;
bytes_sent = send(sock, *env, len, 0);
if (bytes_sent == -1) {
perror("send env");
close(sock);
exit(EXIT_FAILURE);
} else if ((unsigned long)bytes_sent == len) {
} else {
dprintf(STDERR_FILENO, "send returned unexpected value on internal socket\n");
close(sock);
exit(EXIT_FAILURE);
}
}
}
bytes_sent = send(sock, "", 1, 0);
if (bytes_sent == -1) {
perror("send env terminator");
close(sock);
exit(EXIT_FAILURE);
} else if (bytes_sent == 1) {
} else {
dprintf(STDERR_FILENO, "send returned unexpected value on internal socket\n");
close(sock);
exit(EXIT_FAILURE);
}
/*
* Now we can start splicing data from stdin to the UNIX domain socket.
* The format is irrelevant and depends on the hook being called. All we
* do is pass it to the socket for it to handle.
*/
ssize_t stdin_bytes_spliced;
while ((stdin_bytes_spliced = splice(STDIN_FILENO, NULL, sock, NULL, stdin_pipe_size, SPLICE_F_MORE)) > 0) {
}
if (stdin_bytes_spliced == -1) {
perror("splice stdin to internal socket");
close(sock);
return EXIT_FAILURE;
}
/*
* The sending part of the UNIX socket should be shut down, to let
* io.Copy on the Go side return.
*/
if (shutdown(sock, SHUT_WR) == -1) {
perror("shutdown internal socket");
close(sock);
return EXIT_FAILURE;
}
/*
* The first byte of the response from the UNIX domain socket is the
* status code. We read it and record it as our return value.
*
* FIXME: It doesn't make sense to require the return value to be
* sent before the log message. However, if we were to keep splicing,
* it's difficult to get the last byte before EOF. Perhaps we could
* hack together some sort of OOB message or ancillary data, or perhaps
* even use signals.
*/
char status_buf[1];
ssize_t bytes_read = read(sock, status_buf, 1);
switch (bytes_read) {
case -1:
perror("read status code from internal socket");
close(sock);
return EXIT_FAILURE;
case 0:
dprintf(STDERR_FILENO, "unexpected EOF on internal socket\n");
close(sock);
return EXIT_FAILURE;
case 1:
break;
default:
dprintf(STDERR_FILENO, "read returned unexpected value on internal socket\n");
close(sock);
return EXIT_FAILURE;
}
/*
* Now we can splice data from the UNIX domain socket to stderr.
* This data is directly passed to the user (with "remote: " prepended).
*/
ssize_t stderr_bytes_spliced;
while ((stderr_bytes_spliced = splice(sock, NULL, STDERR_FILENO, NULL, stderr_pipe_size, SPLICE_F_MORE)) > 0) {
}
if (stdin_bytes_spliced == -1 && errno != ECONNRESET) {
perror("splice internal socket to stderr");
close(sock);
return EXIT_FAILURE;
}
close(sock);
return *status_buf;
}
// SPDX-License-Identifier: AGPL-3.0-only
// SPDX-FileContributor: Runxi Yu <https://runxiyu.org>
package main
import (
"bytes"
"context"
"encoding/binary"
"errors"
"fmt"
"io"
"net"
"os"
"path/filepath"
"strconv"
"strings"
"syscall"
"github.com/go-git/go-git/v5/plumbing"
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/jackc/pgx/v5"
"go.lindenii.runxiyu.org/lindenii-common/ansiec"
)
var (
err_get_fd = errors.New("unable to get file descriptor")
err_get_ucred = errors.New("failed getsockopt")
)
// hooks_handle_connection handles a connection from git_hooks_client via the
// unix socket.
func hooks_handle_connection(conn net.Conn) {
var ctx context.Context
var cancel context.CancelFunc
var ucred *syscall.Ucred
var err error
var cookie []byte
var pack_to_hook pack_to_hook_t
var ssh_stderr io.Writer
var ok bool
var hook_return_value byte
defer conn.Close()
ctx, cancel = context.WithCancel(context.Background())
defer cancel()
// There aren't reasonable cases where someone would run this as
// another user.
if ucred, err = get_ucred(conn); err != nil {
if _, err = conn.Write([]byte{1}); err != nil {
return
}
wf_error(conn, "\nUnable to get peer credentials: %v", err)
return
}
if ucred.Uid != uint32(os.Getuid()) {
if _, err = conn.Write([]byte{1}); err != nil {
return
}
wf_error(conn, "\nUID mismatch")
return
}
cookie = make([]byte, 64)
if _, err = conn.Read(cookie); err != nil {
if _, err = conn.Write([]byte{1}); err != nil {
return
}
wf_error(conn, "\nFailed to read cookie: %v", err)
return
}
pack_to_hook, ok = pack_to_hook_by_cookie.Load(string(cookie))
if !ok {
if _, err = conn.Write([]byte{1}); err != nil {
return
}
wf_error(conn, "\nInvalid handler cookie")
return
}
ssh_stderr = pack_to_hook.session.Stderr()
_, _ = ssh_stderr.Write([]byte{'\n'})
hook_return_value = func() byte {
var argc64 uint64
if err = binary.Read(conn, binary.NativeEndian, &argc64); err != nil {
wf_error(ssh_stderr, "Failed to read argc: %v", err)
return 1
}
var args []string
for i := uint64(0); i < argc64; i++ {
var arg bytes.Buffer
for {
b := make([]byte, 1)
n, err := conn.Read(b)
if err != nil || n != 1 {
wf_error(ssh_stderr, "Failed to read arg: %v", err)
return 1
}
if b[0] == 0 {
break
}
arg.WriteByte(b[0])
}
args = append(args, arg.String())
}
git_env := make(map[string]string)
for {
var env_line bytes.Buffer
for {
b := make([]byte, 1)
n, err := conn.Read(b)
if err != nil || n != 1 {
wf_error(ssh_stderr, "Failed to read environment variable: %v", err)
return 1
}
if b[0] == 0 {
break
}
env_line.WriteByte(b[0])
}
if env_line.Len() == 0 {
break
}
kv := env_line.String()
parts := strings.SplitN(kv, "=", 2)
if len(parts) < 2 {
wf_error(ssh_stderr, "Invalid environment variable line: %v", kv)
return 1
}
git_env[parts[0]] = parts[1]
}
fmt.Printf("%#v\n", git_env)
var stdin bytes.Buffer
if _, err = io.Copy(&stdin, conn); err != nil {
wf_error(conn, "Failed to read to the stdin buffer: %v", err)
}
switch filepath.Base(args[0]) {
case "pre-receive":
if pack_to_hook.direct_access {
return 0
} else {
all_ok := true
for {
var line, old_oid, rest, new_oid, ref_name string
var found bool
var old_hash, new_hash plumbing.Hash
var old_commit, new_commit *object.Commit
line, err = stdin.ReadString('\n')
if errors.Is(err, io.EOF) {
break
} else if err != nil {
wf_error(ssh_stderr, "Failed to read pre-receive line: %v", err)
return 1
}
line = line[:len(line)-1]
old_oid, rest, found = strings.Cut(line, " ")
if !found {
wf_error(ssh_stderr, "Invalid pre-receive line: %v", line)
return 1
}
new_oid, ref_name, found = strings.Cut(rest, " ")
if !found {
wf_error(ssh_stderr, "Invalid pre-receive line: %v", line)
return 1
}
if strings.HasPrefix(ref_name, "refs/heads/contrib/") {
if all_zero_num_string(old_oid) { // New branch
fmt.Fprintln(ssh_stderr, ansiec.Blue+"POK"+ansiec.Reset, ref_name)
var new_mr_id int
err = database.QueryRow(ctx,
"INSERT INTO merge_requests (repo_id, creator, source_ref, status) VALUES ($1, $2, $3, 'open') RETURNING id",
pack_to_hook.repo_id, pack_to_hook.user_id, strings.TrimPrefix(ref_name, "refs/heads/"),
).Scan(&new_mr_id)
if err != nil {
wf_error(ssh_stderr, "Error creating merge request: %v", err)
return 1
}
fmt.Fprintln(ssh_stderr, ansiec.Blue+"Created merge request at", generate_http_remote_url(pack_to_hook.group_path, pack_to_hook.repo_name)+"/contrib/"+strconv.FormatUint(uint64(new_mr_id), 10)+"/"+ansiec.Reset)
} else { // Existing contrib branch
var existing_merge_request_user_id int
var is_ancestor bool
err = database.QueryRow(ctx,
"SELECT COALESCE(creator, 0) FROM merge_requests WHERE source_ref = $1 AND repo_id = $2",
strings.TrimPrefix(ref_name, "refs/heads/"), pack_to_hook.repo_id,
).Scan(&existing_merge_request_user_id)
if err != nil {
if errors.Is(err, pgx.ErrNoRows) {
wf_error(ssh_stderr, "No existing merge request for existing contrib branch: %v", err)
} else {
wf_error(ssh_stderr, "Error querying for existing merge request: %v", err)
}
return 1
}
if existing_merge_request_user_id == 0 {
all_ok = false
fmt.Fprintln(ssh_stderr, ansiec.Red+"NAK"+ansiec.Reset, ref_name, "(branch belongs to unowned MR)")
continue
}
if existing_merge_request_user_id != pack_to_hook.user_id {
all_ok = false
fmt.Fprintln(ssh_stderr, ansiec.Red+"NAK"+ansiec.Reset, ref_name, "(branch belongs another user's MR)")
continue
}
old_hash = plumbing.NewHash(old_oid)
if old_commit, err = pack_to_hook.repo.CommitObject(old_hash); err != nil {
wf_error(ssh_stderr, "Daemon failed to get old commit: %v", err)
return 1
}
// Potential BUG: I'm not sure if new_commit is guaranteed to be
// detectable as they haven't been merged into the main repo's
// objects yet. But it seems to work, and I don't think there's
// any reason for this to only work intermitently.
new_hash = plumbing.NewHash(new_oid)
if new_commit, err = pack_to_hook.repo.CommitObject(new_hash); err != nil {
wf_error(ssh_stderr, "Daemon failed to get new commit: %v", err)
return 1
}
if is_ancestor, err = old_commit.IsAncestor(new_commit); err != nil {
wf_error(ssh_stderr, "Daemon failed to check if old commit is ancestor: %v", err)
return 1
}
if !is_ancestor {
// TODO: Create MR snapshot ref instead
all_ok = false
fmt.Fprintln(ssh_stderr, ansiec.Red+"NAK"+ansiec.Reset, ref_name, "(force pushes are not supported yet)")
continue
}
fmt.Fprintln(ssh_stderr, ansiec.Blue+"POK"+ansiec.Reset, ref_name)
}
} else { // Non-contrib branch
all_ok = false
fmt.Fprintln(ssh_stderr, ansiec.Red+"NAK"+ansiec.Reset, ref_name, "(you cannot push to branches outside of contrib/*)")
}
}
fmt.Fprintln(ssh_stderr)
if all_ok {
fmt.Fprintln(ssh_stderr, "Overall "+ansiec.Green+"ACK"+ansiec.Reset+" (all checks passed)")
return 0
} else {
fmt.Fprintln(ssh_stderr, "Overall "+ansiec.Red+"NAK"+ansiec.Reset+" (one or more branches failed checks)")
return 1
}
}
default:
fmt.Fprintln(ssh_stderr, ansiec.Red+"Invalid hook:", args[0]+ansiec.Reset)
return 1
}
}()
fmt.Fprintln(ssh_stderr)
_, _ = conn.Write([]byte{hook_return_value})
}
func serve_git_hooks(listener net.Listener) error {
for {
conn, err := listener.Accept()
if err != nil {
return err
}
go hooks_handle_connection(conn)
}
}
func get_ucred(conn net.Conn) (ucred *syscall.Ucred, err error) {
var unix_conn *net.UnixConn = conn.(*net.UnixConn)
var fd *os.File
if fd, err = unix_conn.File(); err != nil {
return nil, err_get_fd
}
defer fd.Close()
if ucred, err = syscall.GetsockoptUcred(int(fd.Fd()), syscall.SOL_SOCKET, syscall.SO_PEERCRED); err != nil {
return nil, err_get_ucred
}
return ucred, nil
}
func all_zero_num_string(s string) bool {
for _, r := range s {
if r != '0' {
return false
}
}
return true
}