From: Junio C Hamano <gitster@pobox.com>
To: Han Young <hanyang.tony@bytedance.com>
Cc: git@vger.kernel.org, karthik.188@gmail.com, ps@pks.im,
Han Young <hanyoung@protonmail.com>, Sigma <git@sigma-star.io>
Subject: Re: [PATCH v=2 1/1] files-backend: check symref name before update
Date: Sun, 05 Oct 2025 14:53:39 -0700 [thread overview]
Message-ID: <xmqq347xrp5o.fsf@gitster.g> (raw)
In-Reply-To: <20251004144223.23436-2-hanyang.tony@bytedance.com> (Han Young's message of "Sat, 4 Oct 2025 22:42:23 +0800")
Han Young <hanyang.tony@bytedance.com> writes:
> From: Han Young <hanyoung@protonmail.com>
>
> In the ref files backend, the symbolic reference name is not checked
> before an update. This could cause reference and lock files to be created
> outside the refs/ directory. Validate the reference before adding it to
> the ref update transaction.
This leaves the readers wondering why refname_is_safe(), which has
no direct callers other than "git show-ref verify", is sufficient
for the purpose of this particular validation. All other callers of
refname_is_safe() seem to use it only as a sanity check combined
with other criteria.
For example, refs.c::transaction_refname_valid() calls
refname_is_safe() as a small part of its validation, together with
check_refname_format(). It also refuses to touch anything that
satisfies is_pseudo_ref().
> Reported-by: Sigma <git@sigma-star.io>
> Signed-off-by: Han Young <hanyoung@protonmail.com>
> ---
> refs/files-backend.c | 10 ++++++++++
> t/t7102-reset.sh | 8 ++++++++
> 2 files changed, 18 insertions(+)
>
> diff --git a/refs/files-backend.c b/refs/files-backend.c
> index bc3347d18..d47a8c392 100644
> --- a/refs/files-backend.c
> +++ b/refs/files-backend.c
> @@ -2516,6 +2516,16 @@ static enum ref_transaction_error split_symref_update(struct ref_update *update,
> struct ref_update *new_update;
> unsigned int new_flags;
>
> + /*
> + * Check the referent is valid before adding it to the transaction.
> + */
> + if (!refname_is_safe(referent)) {
> + strbuf_addf(err,
> + "reference '%s' appears to be broken",
> + update->refname);
> + return -1;
> + }
> +
> /*
> * First make sure that referent is not already in the
> * transaction. This check is O(lg N) in the transaction
> diff --git a/t/t7102-reset.sh b/t/t7102-reset.sh
> index 0503a64d3..1dc314474 100755
> --- a/t/t7102-reset.sh
> +++ b/t/t7102-reset.sh
> @@ -634,4 +634,12 @@ test_expect_success 'reset handles --end-of-options' '
> test_cmp expect actual
> '
>
> +test_expect_success 'reset should fail when HEAD is corrupt' '
> + head=$(cat .git/HEAD) &&
> + hex=$(git log -1 --format="%h") &&
> + echo "ref: refs/../foo" > .git/HEAD &&
> + test_must_fail git reset $hex &&
> + echo $head > .git/HEAD
> +'
> +
> test_done
next prev parent reply other threads:[~2025-10-05 21:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-04 14:42 [PATCH v=2 0/1] files-backend: check symref name before update Han Young
2025-10-04 14:42 ` [PATCH v=2 1/1] " Han Young
2025-10-05 21:53 ` Junio C Hamano [this message]
2025-10-06 0:46 ` Jeff King
2025-10-06 15:52 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq347xrp5o.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@sigma-star.io \
--cc=git@vger.kernel.org \
--cc=hanyang.tony@bytedance.com \
--cc=hanyoung@protonmail.com \
--cc=karthik.188@gmail.com \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).