Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)
## Review without space diff
https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1
## Purpose of this PR
1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command
## The main idea of this PR
* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
* Before: `AddArguments("-m").AddDynamicArguments(message)`
* After: `AddOptionValues("-m", message)`
* -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`
## FAQ
### Why these changes were not done in #21535 ?
#21535 is mainly a search&replace, it did its best to not change too
much logic.
Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.
### The naming of `AddOptionXxx`
According to git's manual, the `--xxx` part is called `option`.
### How can it guarantee that `internal.CmdArg` won't be not misused?
Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.
And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.
### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?
Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.
### Why there was a `CmdArgCheck` and why it's removed?
At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.
### Why many codes for `signArg == ""` is deleted?
Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> hace 1 año |
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177 |
- linters:
- enable:
- - bidichk
- # - deadcode # deprecated - https://github.com/golangci/golangci-lint/issues/1841
- - depguard
- - dupl
- - errcheck
- - gocritic
- # - gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
- - gofmt
- - gofumpt
- - gosimple
- - govet
- - ineffassign
- - nakedret
- - nolintlint
- - revive
- - staticcheck
- # - structcheck # deprecated - https://github.com/golangci/golangci-lint/issues/1841
- - stylecheck
- - typecheck
- - unconvert
- - unused
- # - varcheck # deprecated - https://github.com/golangci/golangci-lint/issues/1841
- # - wastedassign # disabled - https://github.com/golangci/golangci-lint/issues/2649
- enable-all: false
- disable-all: true
- fast: false
-
- run:
- go: "1.20"
- timeout: 10m
- skip-dirs:
- - node_modules
- - public
- - web_src
-
- linters-settings:
- stylecheck:
- checks: ["all", "-ST1005", "-ST1003"]
- nakedret:
- max-func-lines: 0
- gocritic:
- disabled-checks:
- - ifElseChain
- - singleCaseSwitch # Every time this occurred in the code, there was no other way.
- revive:
- ignore-generated-header: false
- severity: warning
- confidence: 0.8
- errorCode: 1
- warningCode: 1
- rules:
- - name: blank-imports
- - name: context-as-argument
- - name: context-keys-type
- - name: dot-imports
- - name: error-return
- - name: error-strings
- - name: error-naming
- - name: exported
- - name: if-return
- - name: increment-decrement
- - name: var-naming
- - name: var-declaration
- - name: package-comments
- - name: range
- - name: receiver-naming
- - name: time-naming
- - name: unexported-return
- - name: indent-error-flow
- - name: errorf
- - name: duplicated-imports
- - name: modifies-value-receiver
- gofumpt:
- extra-rules: true
- lang-version: "1.20"
- depguard:
- list-type: denylist
- # Check the list against standard lib.
- include-go-root: true
- packages-with-error-message:
- - encoding/json: "use gitea's modules/json instead of encoding/json"
- - github.com/unknwon/com: "use gitea's util and replacements"
- - io/ioutil: "use os or io instead"
- - golang.org/x/exp: "it's experimental and unreliable."
- - code.gitea.io/gitea/modules/git/internal: "do not use the internal package, use AddXxx function instead"
-
- issues:
- max-issues-per-linter: 0
- max-same-issues: 0
- exclude-rules:
- # Exclude some linters from running on tests files.
- - path: _test\.go
- linters:
- - gocyclo
- - errcheck
- - dupl
- - gosec
- - unparam
- - staticcheck
- - path: models/migrations/v
- linters:
- - gocyclo
- - errcheck
- - dupl
- - gosec
- - linters:
- - dupl
- text: "webhook"
- - linters:
- - gocritic
- text: "`ID' should not be capitalized"
- - path: modules/templates/helper.go
- linters:
- - gocritic
- - linters:
- - unused
- - deadcode
- text: "swagger"
- - path: contrib/pr/checkout.go
- linters:
- - errcheck
- - path: models/issue.go
- linters:
- - errcheck
- - path: models/migrations/
- linters:
- - errcheck
- - path: modules/log/
- linters:
- - errcheck
- - path: routers/api/v1/repo/issue_subscription.go
- linters:
- - dupl
- - path: routers/repo/view.go
- linters:
- - dupl
- - path: models/migrations/
- linters:
- - unused
- - linters:
- - staticcheck
- text: "argument x is overwritten before first use"
- - path: modules/httplib/httplib.go
- linters:
- - staticcheck
- # Enabling this would require refactoring the methods and how they are called.
- - path: models/issue_comment_list.go
- linters:
- - dupl
- - path: models/update.go
- linters:
- - unused
- - path: cmd/dump.go
- linters:
- - dupl
- - path: services/webhook/webhook.go
- linters:
- - structcheck
- - text: "commentFormatting: put a space between `//` and comment text"
- linters:
- - gocritic
- - text: "exitAfterDefer:"
- linters:
- - gocritic
- - path: modules/graceful/manager_windows.go
- linters:
- - staticcheck
- text: "svc.IsAnInteractiveSession is deprecated: Use IsWindowsService instead."
- - path: models/user/openid.go
- linters:
- - golint
- - path: models/user/badge.go
- linters:
- - revive
- text: "exported: type name will be used as user.UserBadge by other packages, and that stutters; consider calling this Badge"
|