As documented in git-receive-pack(1), updating a ref from
within the pre-receive hook is dangerous and can corrupt
your repo. This patch forbids ref updates entirely during
the hook to make it harder for adventurous hook writers to
shoot themselves in the foot.
Signed-off-by: Jeff King <peff@xxxxxxxx>
---
Documentation/git-receive-pack.txt | 3 ++-
refs.c | 6 ++++++
t/t5547-push-quarantine.sh | 11 +++++++++++
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt
index 7267ecfbe..86a4b32f0 100644
--- a/Documentation/git-receive-pack.txt
+++ b/Documentation/git-receive-pack.txt
@@ -239,7 +239,8 @@ This has a few user-visible effects and caveats:
3. The `pre-receive` hook MUST NOT update any refs to point to
quarantined objects. Other programs accessing the repository will
not be able to see the objects (and if the pre-receive hook fails,
- those refs would become corrupted).
+ those refs would become corrupted). For safety, any ref updates
+ from within `pre-receive` are automatically rejected.
SEE ALSO
diff --git a/refs.c b/refs.c
index 0272e332c..62b405d0b 100644
--- a/refs.c
+++ b/refs.c
@@ -1516,6 +1516,12 @@ int ref_transaction_commit(struct ref_transaction *transaction,
{
struct ref_store *refs = get_ref_store(NULL);
+ if (getenv(GIT_QUARANTINE_ENVIRONMENT)) {
+ strbuf_addstr(err,
+ _("ref updates forbidden inside quarantine environment"));
+ return -1;
+ }
+
return refs->be->transaction_commit(refs, transaction, err);
}
diff --git a/t/t5547-push-quarantine.sh b/t/t5547-push-quarantine.sh
index af9fcd833..113c87007 100755
--- a/t/t5547-push-quarantine.sh
+++ b/t/t5547-push-quarantine.sh
@@ -58,4 +58,15 @@ test_expect_success 'push to repo path with path separator (colon)' '
git push "$(pwd)/xxx${pathsep}yyy.git" HEAD
'
+test_expect_success 'updating a ref from quarantine is forbidden' '
+ git init --bare update.git &&
+ write_script update.git/hooks/pre-receive <<-\EOF &&
+ read old new refname
+ git update-ref refs/heads/unrelated $new
+ exit 1
+ EOF
+ test_must_fail git push update.git HEAD &&
+ git -C update.git fsck
+'
+
test_done
--
2.12.2.952.g759391acc