You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
forgejo/modules
wxiaoguang 6bc3079c00
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)

## Review without space diff

https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1

## Purpose of this PR

1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command

## The main idea of this PR

* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
    * Before: `AddArguments("-m").AddDynamicArguments(message)`
    * After: `AddOptionValues("-m", message)`
    * -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`

## FAQ

### Why these changes were not done in #21535 ?

#21535 is mainly a search&replace, it did its best to not change too
much logic.

Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.


### The naming of `AddOptionXxx`

According to git's manual, the `--xxx` part is called `option`.

### How can it guarantee that `internal.CmdArg` won't be not misused?

Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.

And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.

### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?

Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.

### Why there was a `CmdArgCheck` and why it's removed?

At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.


### Why many codes for `signArg == ""` is deleted?

Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
1 year ago
..
actions Fix actions workflow branches match bug (#22724) 1 year ago
activitypub Remove deprecated packages & staticcheck fixes (#22012) 2 years ago
analyze Implement FSFE REUSE for golang files (#21840) 2 years ago
auth Fix bugs with WebAuthn preventing sign in and registration. (#22651) 1 year ago
avatar Unify hashing for avatar (#22289) 1 year ago
base Implement FSFE REUSE for golang files (#21840) 2 years ago
cache Fix get system setting bug when enabled redis cache (#22295) 1 year ago
charset Fix line spacing for plaintext previews (#22699) 1 year ago
container Implement FSFE REUSE for golang files (#21840) 2 years ago
context Implement actions (#21937) 1 year ago
csv Implement FSFE REUSE for golang files (#21840) 2 years ago
doctor Add cron method to gc LFS MetaObjects (#22385) 1 year ago
emoji Fix unstable emoji sort (#22346) 1 year ago
eventsource Move `convert` package to services (#22264) 1 year ago
generate Implement FSFE REUSE for golang files (#21840) 2 years ago
git Refactor git command package to improve security and maintainability (#22678) 1 year ago
gitgraph Refactor git command package to improve security and maintainability (#22678) 1 year ago
graceful Implement FSFE REUSE for golang files (#21840) 2 years ago
hcaptcha Consume hcaptcha and pwn deps (#22610) 1 year ago
highlight Implement FSFE REUSE for golang files (#21840) 2 years ago
hostmatcher Implement FSFE REUSE for golang files (#21840) 2 years ago
html Implement FSFE REUSE for golang files (#21840) 2 years ago
httpcache Add some comments for recent code (#22725) 1 year ago
httplib Implement FSFE REUSE for golang files (#21840) 2 years ago
indexer refactor some functions to support ctx as first parameter (#21878) 2 years ago
issue/template Allow issue templates to not render title (#22589) 1 year ago
json Update gitea-vet to check FSFE REUSE (#22004) 2 years ago
lfs Implement FSFE REUSE for golang files (#21840) 2 years ago
log Improve trace logging for pulls and processes (#22633) 1 year ago
markup Fix README TOC links (#22577) 1 year ago
mcaptcha Implement FSFE REUSE for golang files (#21840) 2 years ago
metrics Implement FSFE REUSE for golang files (#21840) 2 years ago
migration Show migration validation error (#22619) 1 year ago
mirror Implement FSFE REUSE for golang files (#21840) 2 years ago
nosql Implement FSFE REUSE for golang files (#21840) 2 years ago
notification Implement actions (#21937) 1 year ago
options Implement FSFE REUSE for golang files (#21840) 2 years ago
packages Add Conda package registry (#22262) 1 year ago
paginator Update gitea-vet to check FSFE REUSE (#22004) 2 years ago
password Consume hcaptcha and pwn deps (#22610) 1 year ago
pprof Implement FSFE REUSE for golang files (#21840) 2 years ago
private Implement actions (#21937) 1 year ago
process Improve trace logging for pulls and processes (#22633) 1 year ago
proxy Implement FSFE REUSE for golang files (#21840) 2 years ago
proxyprotocol Implement FSFE REUSE for golang files (#21840) 2 years ago
public Implement FSFE REUSE for golang files (#21840) 2 years ago
queue Correctly handle select on multiple channels in Queues (#22146) 1 year ago
recaptcha Implement FSFE REUSE for golang files (#21840) 2 years ago
references Use correct captured group range when parsing cross-reference (#22672) 1 year ago
regexplru Implement FSFE REUSE for golang files (#21840) 2 years ago
repository Refactor git command package to improve security and maintainability (#22678) 1 year ago
secret Implement FSFE REUSE for golang files (#21840) 2 years ago
session Update gitea-vet to check FSFE REUSE (#22004) 2 years ago
setting Use native error checking with `exec.ErrDot` (#22735) 1 year ago
sitemap Fix sitemap (#22272) 1 year ago
ssh Implement FSFE REUSE for golang files (#21840) 2 years ago
storage Implement actions (#21937) 1 year ago
structs Implement actions (#21937) 1 year ago
svg Implement FSFE REUSE for golang files (#21840) 2 years ago
sync Implement FSFE REUSE for golang files (#21840) 2 years ago
system Implement FSFE REUSE for golang files (#21840) 2 years ago
templates Implement actions (#21937) 1 year ago
test refactor some functions to support ctx as first parameter (#21878) 2 years ago
timeutil Check for zero time instant in `TimeStamp.IsZero()` (#22171) 2 years ago
translation Implement FSFE REUSE for golang files (#21840) 2 years ago
typesniffer Implement FSFE REUSE for golang files (#21840) 2 years ago
updatechecker Implement FSFE REUSE for golang files (#21840) 2 years ago
upload Implement FSFE REUSE for golang files (#21840) 2 years ago
uri Implement FSFE REUSE for golang files (#21840) 2 years ago
user Implement FSFE REUSE for golang files (#21840) 2 years ago
util Improve checkIfPRContentChanged (#22611) 1 year ago
validation Implement FSFE REUSE for golang files (#21840) 2 years ago
watcher Implement FSFE REUSE for golang files (#21840) 2 years ago
web refactor bind functions based on generics (#22055) 2 years ago
webhook Restructure `webhook` module (#22256) 1 year ago