Hi Junio, On Fri, 17 May 2024, Junio C Hamano wrote: > "Johannes Schindelin via GitGitGadget" <gitgitgadget@xxxxxxxxx> > writes: > > > What the added protection did not anticipate is that such a > > repository-local `core.hooksPath` can not only be used to point to > > maliciously-placed scripts in the current worktree, but also to > > _prevent_ hooks from being called altogether. > > ... > > diff --git a/t/t1350-config-hooks-path.sh b/t/t1350-config-hooks-path.sh > > index f6dc83e2aab..1eae346a6e3 100755 > > --- a/t/t1350-config-hooks-path.sh > > +++ b/t/t1350-config-hooks-path.sh > > @@ -41,4 +41,8 @@ test_expect_success 'git rev-parse --git-path hooks' ' > > test .git/custom-hooks/abc = "$(cat actual)" > > ' > > > > +test_expect_success 'core.hooksPath=/dev/null' ' > > + git clone -c core.hooksPath=/dev/null . no-templates > > +' > > Is it sufficient that the command exits with 0? I am wondering if > we want to verify that the resulting repository looks like it > should, e.g., with > > v=$(git -C no-templates config --local --get core.hookspath) && > test "$v" = /dev/null > > or something silly like that. I've added that, but would like to stress that the regression was _not_ that the `core.hooksPath` setting was missing from the local config. I've added it because the implied suggestion is valid that we'll want to ensure that the test case passes for the _correct_ reason ;-) Ciao, Johannes
