Re: [PATCH 2/2] hooks: fix a TOCTOU in "did we run a hook?" heuristic

["Ævar Arnfjörð Bjarmason" <avarab@gmail.com>]

On Fri, Feb 18 2022, Taylor Blau wrote:

> On Fri, Feb 18, 2022 at 09:43:52PM +0100, Ævar Arnfjörð Bjarmason wrote:
>> diff --git a/builtin/commit.c b/builtin/commit.c
>> index b9ed0374e30..bc5d34bc31f 100644
>> --- a/builtin/commit.c
>> +++ b/builtin/commit.c
>> @@ -725,11 +725,13 @@ static int prepare_to_commit(const char *index_file, const char *prefix,
>>  	int clean_message_contents = (cleanup_mode != COMMIT_MSG_CLEANUP_NONE);
>>  	int old_display_comment_prefix;
>>  	int merge_contains_scissors = 0;
>> +	int invoked_hook;
>>
>>  	/* This checks and barfs if author is badly specified */
>>  	determine_author_info(author_ident);
>>
>> -	if (!no_verify && run_commit_hook(use_editor, index_file, "pre-commit", NULL))
>> +	if (!no_verify && run_commit_hook(use_editor, index_file, &invoked_hook,
>> +					  "pre-commit", NULL))
>>  		return 0;
>>
>>  	if (squash_message) {
>> @@ -1052,10 +1054,10 @@ static int prepare_to_commit(const char *index_file, const char *prefix,
>>  		return 0;
>>  	}
>>
>> -	if (!no_verify && hook_exists("pre-commit")) {
>> +	if (!no_verify && invoked_hook) {
>>  		/*
>> -		 * Re-read the index as pre-commit hook could have updated it,
>> -		 * and write it out as a tree.  We must do this before we invoke
>> +		 * Re-read the index as the pre-commit-commit hook was invoked
>> +		 * and could have updated it. We must do this before we invoke
>>  		 * the editor and after we invoke run_status above.
>>  		 */
>>  		discard_cache();
>
> Sanity checking my own understating of this race: if we ran the
> pre-commit hook and it modified the index, but hook_exists() returns
> false later on (e.g., because the hook itself went away, the directory
> became unreadable, etc.), then we won't call discard_cache() when we
> should have?

Yes, it's that obscure.

> If so, OK. This definitely seems like a pretty niche race, but
> independent of that I think the change here is an improvement in
> readability, and makes it clearer that calling discard_cache() depends
> on whether or not we *ran* the pre-commit hook, not whether we (still)
> *have* a pre-commit hook.

Yeah, that's the main reason to do it. I found this really hard to
follow before, why didn't we just remember if we have/ran the thing? Now
we do.