Loading pkgs/development/tools/buf/buf-tests-dont-use-file-transport.patch 0 → 100644 +51 −0 Original line number Diff line number Diff line commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b Author: Robbert van Ginkel <rvanginkel@buf.build> Date: Thu Oct 20 16:43:28 2022 -0400 Fix git unit test by using fake git server rather than file:// (#1518) More recent versions of git fix a CVE by disabling some usage of the `file://` transport, see https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253. We were using this transport in tests. Instead, use https://git-scm.com/docs/git-http-backend to serve up this repository locally so we don't have to use the file protocol. This should be a more accurate tests, since we mostly expect submodules to come from servers. diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go index 7b77b6cd..7132054e 100644 --- a/private/pkg/git/git_test.go +++ b/private/pkg/git/git_test.go @@ -17,6 +17,8 @@ package git import ( "context" "errors" + "net/http/cgi" + "net/http/httptest" "os" "os/exec" "path/filepath" @@ -213,6 +215,21 @@ func createGitDirs( runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto") runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0") + gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path") + require.NoError(t, err) + t.Log(filepath.Join(string(gitExecPath), "git-http-backend")) + // https://git-scm.com/docs/git-http-backend#_description + f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok")) + require.NoError(t, err) + require.NoError(t, f.Close()) + server := httptest.NewServer(&cgi.Handler{ + Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"), + Dir: submodulePath, + Env: []string{"GIT_PROJECT_ROOT=" + submodulePath}, + }) + t.Cleanup(server.Close) + submodulePath = server.URL + originPath := filepath.Join(tmpDir, "origin") require.NoError(t, os.MkdirAll(originPath, 0777)) runCommand(ctx, t, container, runner, "git", "-C", originPath, "init") pkgs/development/tools/buf/default.nix +3 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,9 @@ buildGoModule rec { ./skip_test_requiring_network.patch # Skip TestWorkspaceGit which requires .git and commits. ./skip_test_requiring_dotgit.patch # Remove reliance of tests on file protocol which is disabled in git by default now # Rebased upstream change https://github.com/bufbuild/buf/commit/bcaa77f8bbb8f6c198154c7c8d53596da4506dab ./buf-tests-dont-use-file-transport.patch ]; nativeBuildInputs = [ installShellFiles ]; Loading Loading
pkgs/development/tools/buf/buf-tests-dont-use-file-transport.patch 0 → 100644 +51 −0 Original line number Diff line number Diff line commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b Author: Robbert van Ginkel <rvanginkel@buf.build> Date: Thu Oct 20 16:43:28 2022 -0400 Fix git unit test by using fake git server rather than file:// (#1518) More recent versions of git fix a CVE by disabling some usage of the `file://` transport, see https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253. We were using this transport in tests. Instead, use https://git-scm.com/docs/git-http-backend to serve up this repository locally so we don't have to use the file protocol. This should be a more accurate tests, since we mostly expect submodules to come from servers. diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go index 7b77b6cd..7132054e 100644 --- a/private/pkg/git/git_test.go +++ b/private/pkg/git/git_test.go @@ -17,6 +17,8 @@ package git import ( "context" "errors" + "net/http/cgi" + "net/http/httptest" "os" "os/exec" "path/filepath" @@ -213,6 +215,21 @@ func createGitDirs( runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto") runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0") + gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path") + require.NoError(t, err) + t.Log(filepath.Join(string(gitExecPath), "git-http-backend")) + // https://git-scm.com/docs/git-http-backend#_description + f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok")) + require.NoError(t, err) + require.NoError(t, f.Close()) + server := httptest.NewServer(&cgi.Handler{ + Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"), + Dir: submodulePath, + Env: []string{"GIT_PROJECT_ROOT=" + submodulePath}, + }) + t.Cleanup(server.Close) + submodulePath = server.URL + originPath := filepath.Join(tmpDir, "origin") require.NoError(t, os.MkdirAll(originPath, 0777)) runCommand(ctx, t, container, runner, "git", "-C", originPath, "init")
pkgs/development/tools/buf/default.nix +3 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,9 @@ buildGoModule rec { ./skip_test_requiring_network.patch # Skip TestWorkspaceGit which requires .git and commits. ./skip_test_requiring_dotgit.patch # Remove reliance of tests on file protocol which is disabled in git by default now # Rebased upstream change https://github.com/bufbuild/buf/commit/bcaa77f8bbb8f6c198154c7c8d53596da4506dab ./buf-tests-dont-use-file-transport.patch ]; nativeBuildInputs = [ installShellFiles ]; Loading
