Re: [PATCH 2/2] hooks: fix a TOCTOU in "did we run a hook?" heuristic

["Ævar Arnfjörð Bjarmason" <avarab@gmail.com>]

On Fri, Feb 18 2022, Junio C Hamano wrote:

>> -int run_commit_hook(int editor_is_used, const char *index_file, const char *name, ...);
>> +int run_commit_hook(int editor_is_used, const char *index_file,
>> +		    int *invoked_hook, const char *name, ...);
>>  
>
> Even though my gut feeling tells me that turning the "yes/no"
> integer into an enum that includes "there was no such hook", "I
> tried to run it, but it failed to run" [*], "I ran it and it was
> happy".  would be a more viable approach for the longer term, I
> guess this extra and ad-hoc parameter would be sufficient as a
> shorter term improvement.
>
>     Side note: optionally "failed to run" may be split into "failed
>     to even start (e.g. ENOEXEC)" and "started successfully but
>     exited with non-zero status".  There may or may not be callers
>     that wants to see them as distinct cases right now, but an
>     interface based on returned enum value would be easier to extend
>     than having to add a pointer to return variable every time we
>     need to know more details.

Yes, I debated with myself whether I should add some more generic
interface to it, and decided just to do the bare minumum of adding
something the "struct run_hooks_opt".

FWIW the "yes/no" is not that, run_commit_hook() just returns the value
of run_hooks_opt(), which is currently either an <0 error, or the status
code from the hook. I.e. what gets passed to the "task_finished_fn"
callback for run_processes_parallel_tr2(). I.e. the finish_command()
return value.

We do cover the "ENOEXEC" case in ignoring it, since if we fail on
startup we won't say we ran the hook.

I think in practice what'll matter is this "invoked_hook". I.e. if we
failed to parse our config, the hook wasn't executable or whatever
that's just a <0 error, and we didn't run the hook.

Or, if we ran it at all (even if it failed) we'll know that we need to
e.g. discard_index(), since we can't guarantee that the hook didn't get
that far that we'll need to update our own assumptions.

A caller who ares about anything else will also need to deal with a lot
more complexity once we have config-based-hooks / parallel hooks by
default. I.e. was that ENOEXEC one of N hooks, all of them, did all/one
exit non-zero etc?

Whereas "int *invoked_hook" we can just set as long as we invoked any of
them at all.