From: Junio C Hamano <gitster@pobox.com>
To: Han Young <hanyang.tony@bytedance.com>
Cc: git@vger.kernel.org, karthik.188@gmail.com, ps@pks.im,
Han Young <hanyoung@protonmail.com>, Sigma <git@sigma-star.io>
Subject: Re: [PATCH v=2 1/1] files-backend: check symref name before update
Date: Sun, 05 Oct 2025 14:53:39 -0700 [thread overview]
Message-ID: <xmqq347xrp5o.fsf@gitster.g> (raw)
In-Reply-To: <20251004144223.23436-2-hanyang.tony@bytedance.com> (Han Young's message of "Sat, 4 Oct 2025 22:42:23 +0800")
Han Young <hanyang.tony@bytedance.com> writes:
> From: Han Young <hanyoung@protonmail.com>
>
> In the ref files backend, the symbolic reference name is not checked
> before an update. This could cause reference and lock files to be created
> outside the refs/ directory. Validate the reference before adding it to
> the ref update transaction.
This leaves the readers wondering why refname_is_safe(), which has
no direct callers other than "git show-ref verify", is sufficient
for the purpose of this particular validation. All other callers of
refname_is_safe() seem to use it only as a sanity check combined
with other criteria.
For example, refs.c::transaction_refname_valid() calls
refname_is_safe() as a small part of its validation, together with
check_refname_format(). It also refuses to touch anything that
satisfies is_pseudo_ref().
> Reported-by: Sigma <git@sigma-star.io>
> Signed-off-by: Han Young <hanyoung@protonmail.com>
> ---
> refs/files-backend.c | 10 ++++++++++
> t/t7102-reset.sh | 8 ++++++++
> 2 files changed, 18 insertions(+)
>
> diff --git a/refs/files-backend.c b/refs/files-backend.c
> index bc3347d18..d47a8c392 100644
> --- a/refs/files-backend.c
> +++ b/refs/files-backend.c
> @@ -2516,6 +2516,16 @@ static enum ref_transaction_error split_symref_update(struct ref_update *update,
> struct ref_update *new_update;
> unsigned int new_flags;
>
> + /*
> + * Check the referent is valid before adding it to the transaction.
> + */
> + if (!refname_is_safe(referent)) {
> + strbuf_addf(err,
> + "reference '%s' appears to be broken",
> + update->refname);
> + return -1;
> + }
> +
> /*
> * First make sure that referent is not already in the
> * transaction. This check is O(lg N) in the transaction
> diff --git a/t/t7102-reset.sh b/t/t7102-reset.sh
> index 0503a64d3..1dc314474 100755
> --- a/t/t7102-reset.sh
> +++ b/t/t7102-reset.sh
> @@ -634,4 +634,12 @@ test_expect_success 'reset handles --end-of-options' '
> test_cmp expect actual
> '
>
> +test_expect_success 'reset should fail when HEAD is corrupt' '
> + head=$(cat .git/HEAD) &&
> + hex=$(git log -1 --format="%h") &&
> + echo "ref: refs/../foo" > .git/HEAD &&
> + test_must_fail git reset $hex &&
> + echo $head > .git/HEAD
> +'
> +
> test_done
next prev parent reply other threads:[~2025-10-05 21:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-04 14:42 [PATCH v=2 0/1] files-backend: check symref name before update Han Young
2025-10-04 14:42 ` [PATCH v=2 1/1] " Han Young
2025-10-05 21:53 ` Junio C Hamano [this message]
2025-10-06 0:46 ` Jeff King
2025-10-06 15:52 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq347xrp5o.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@sigma-star.io \
--cc=git@vger.kernel.org \
--cc=hanyang.tony@bytedance.com \
--cc=hanyoung@protonmail.com \
--cc=karthik.188@gmail.com \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.