1. 09 Jan, 2019 1 commit
  2. 04 Jan, 2019 1 commit
  3. 19 Dec, 2018 1 commit
  4. 14 Dec, 2018 1 commit
  5. 04 Dec, 2018 8 commits
  6. 03 Dec, 2018 1 commit
    • crlf_data: move to a "to_workdir" folder · 13a8bc92
      Move the crlf_data folders reponsible for holding the state of the
      filters going into the working directory to "to_workdir" variations of
      the folder name to accommodate future growth into the "to odb" filter
      variation.  Update the script to create these new folders as appopriate.
      Edward Thomson committed
  7. 01 Dec, 2018 2 commits
  8. 28 Nov, 2018 14 commits
    • stream registration: take an enum type · 02bb39f4
      Accept an enum (`git_stream_t`) during custom stream registration that
      indicates whether the registration structure should be used for standard
      (non-TLS) streams or TLS streams.
      Edward Thomson committed
    • stream: provide generic registration API · df2cc108
      Update the new stream registration API to be `git_stream_register`
      which takes a registration structure and a TLS boolean.  This allows
      callers to register non-TLS streams as well as TLS streams.
      
      Provide `git_stream_register_tls` that takes just the init callback for
      backward compatibliity.
      Edward Thomson committed
    • tests: optionally ignore https cert validation · 45054732
      For testing, we may wish to use a man-in-the-middle proxy that can
      inspect the CONNECT traffic to our test endpoints.  For this, we will
      need to accept the proxy's certificate, which will not be valid for the
      true endpoint.
      
      Add a new environment variable, GITTEST_REMOTE_SSL_NOVERIFY to disable
      https certificate validation for the tests.
      Edward Thomson committed
    • tls: introduce a wrap function · 43b592ac
      Introduce `git_tls_stream_wrap` which will take an existing `stream`
      with an already connected socket and begin speaking TLS on top of it.
      This is useful if you've built a connection to a proxy server and you
      wish to begin CONNECT over it to tunnel a TLS connection.
      
      Also update the pluggable TLS stream layer so that it can accept a
      registration structure that provides an `init` and `wrap` function,
      instead of a single initialization function.
      Edward Thomson committed
    • proxy tests: rename credential callback · 6ba3e6af
      Rename credential callback to proxy_cred_cb to match new cert callback.
      Edward Thomson committed
    • proxy tests: support self-signed proxy cert · 394ae7e1
      Give the proxy tests a proxy certificate callback, and allow self-signed
      certificates when the `GITTEST_REMOTE_PROXY_SELFSIGNED` environment
      variable is set (to anything).  In that case, simply compare the hostname
      from the callback to the hostname that we connected to.
      Edward Thomson committed
    • tests: support optional PROXY_SCHEME · 4ecc14cd
      As we want to support HTTPS proxies, support an optional
      `GITTEST_REMOTE_PROXY_SCHEME` environment variable for tests that will
      allow for HTTPS support.  (When unset, the tests default to HTTP
      proxies.)
      Edward Thomson committed
    • tests: PROXY_URL is more accurately PROXY_HOST · de60d9b4
      Change the `GITTEST_REMOTE_PROXY_URL` environment variable to be
      `GITTEST_REMOTE_PROXY_HOST`, since it is a host:port combination, not an
      actual URL.  (We cannot use a URL here since we may want to include the
      username:password combination in the constructed URL.)
      Edward Thomson committed
    • tests: mailmap: avoid definition of unused static variables · 2521e11c
      The mailmap testdata header contains a set of static variable
      definitions. As these variables aren't used in all places where they are
      used, they trigger the unused-const-variable warnings. As we have
      currently disabled those warnings explicitly, they are never triggered,
      but we intend to enable them.
      
      Avoid the issue by only keeping variable definitions that are actually
      used in all locations. Move the others to where they are used.
      Patrick Steinhardt committed
    • khash: remove intricate knowledge of khash types · 852bc9f4
      Instead of using the `khiter_t`, `git_strmap_iter` and `khint_t` types,
      simply use `size_t` instead. This decouples code from the khash stuff
      and makes it possible to move the khash includes into the implementation
      files.
      Patrick Steinhardt committed
    • tests: path: only compile test_canonicalize on Win32 platforms · bbf9f5a7
      The function `test_canonicalize` is only used on Win32 platforms. It will thus
      result in an unused function warning if these warnings are enabled and one is on
      a platform different than Win32.
      
      Fix the issue by only compiling in the function on Win32 platforms.
      Patrick Steinhardt committed
    • tests: move apply_helpers functions into own compilation unit · 14a9a4f3
      Currently, the "apply_helper" functions used for testing the apply logic are all
      statically defined in the "apply_helpers.h" header file. This may lead to
      warnings from the compiler in case where this header file is included, but not
      all functions it brings along are used in the compilation unit where it has been
      included into.
      
      Fix these potential warnings by moving the implementation into its own
      compilation unit "apply_helpers.c".
      Patrick Steinhardt committed
    • revwalk: Allow changing hide_cb · 0836f069
      Since git_revwalk objects are encouraged to be reused, a public
      interface for changing hide_cb is desirable.
      Eivind Fonn committed
    • config: fix adding files if their parent directory is a file · 43cbe6b7
      When we try to add a configuration file with `git_config_add_file_ondisk`, we
      treat nonexisting files as empty. We do this by performing a stat call, ignoring
      ENOENT errors. This works just fine in case the file or any of its parents
      simply does not exist, but there is also the case where any of the parent
      directories is not a directory, but a file. So e.g. trying to add a
      configuration file "/dev/null/.gitconfig" will fail, as `errno` will be ENOTDIR
      instead of ENOENT.
      
      Catch ENOTDIR in addition to ENOENT to fix the issue. Add a test that verifies
      we are able to add configuration files with such an invalid path file just fine.
      Patrick Steinhardt committed
  9. 18 Nov, 2018 1 commit
  10. 14 Nov, 2018 2 commits
    • index: introduce git_index_iterator · c358bbc5
      Provide a public git_index_iterator API that is backed by an index
      snapshot.  This allows consumers to provide a stable iteration even
      while manipulating the index during iteration.
      Edward Thomson committed
    • strntol: fix out-of-bounds reads when parsing numbers with leading sign · 4209a512
      When parsing a number, we accept a leading plus or minus sign to return
      a positive or negative number. When the parsed string has such a leading
      sign, we set up a flag indicating that the number is negative and
      advance the pointer to the next character in that string. This misses
      updating the number of bytes in the string, though, which is why the
      parser may later on do an out-of-bounds read.
      
      Fix the issue by correctly updating both the pointer and the number of
      remaining bytes. Furthermore, we need to check whether we actually have
      any bytes left after having advanced the pointer, as otherwise the
      auto-detection of the base may do an out-of-bonuds access. Add a test
      that detects the out-of-bound read.
      
      Note that this is not actually security critical. While there are a lot
      of places where the function is called, all of these places are guarded
      or irrelevant:
      
      - commit list: this operates on objects from the ODB, which are always
        NUL terminated any may thus not trigger the off-by-one OOB read.
      
      - config: the configuration is NUL terminated.
      
      - curl stream: user input is being parsed that is always NUL terminated
      
      - index: the index is read via `git_futils_readbuffer`, which always NUL
        terminates it.
      
      - loose objects: used to parse the length from the object's header. As
        we check previously that the buffer contains a NUL byte, this is safe.
      
      - rebase: this parses numbers from the rebase instruction sheet. As the
        rebase code uses `git_futils_readbuffer`, the buffer is always NUL
        terminated.
      
      - revparse: this parses a user provided buffer that is NUL terminated.
      
      - signature: this parser the header information of objects. As objects
        read from the ODB are always NUL terminated, this is a non-issue. The
        constructor `git_signature_from_buffer` does not accept a length
        parameter for the buffer, so the buffer needs to be NUL terminated, as
        well.
      
      - smart transport: the buffer that is parsed is NUL terminated
      
      - tree cache: this parses the tree cache from the index extension. The
        index itself is read via `git_futils_readbuffer`, which always NUL
        terminates it.
      
      - winhttp transport: user input is being parsed that is always NUL
        terminated
      Patrick Steinhardt committed
  11. 13 Nov, 2018 3 commits
    • tests: address two null argument instances · f127ce35
      Handle two null argument cases that occur in the unit tests.
      One is in library code, the other is in test code.
      
      Detected by running unit tests with undefined behavior sanitizer:
      ```bash
       # build
      mkdir build && cd build
      cmake -DBUILD_CLAR=ON -DCMAKE_C_FLAGS="-fsanitize=address \
      -fsanitize=undefined -fstack-usage -static-libasan" ..
      cmake --build .
      
       # run with asan
      ASAN_OPTIONS="allocator_may_return_null=1" ./libgit2_clar
      ...
      ............../libgit2/src/apply.c:316:3: runtime error: null pointer \
      passed as argument 1, which is declared to never be null
      ...................../libgit2/tests/apply/fromfile.c:46:3: runtime \
      error: null pointer passed as argument 1, which is declared to never be null
      ```
      Noah Pendleton committed
    • tests: apply: fix reference to deprecated `git_buf_free` · afc64bcd
      Since commit 56ffdfc6 (buffer: deprecate `git_buf_free` in favor of
      `git_buf_dispose`, 2018-02-08), the function `git_buf_free` is
      deprecated and shall not be used anymore. As part of the new apply
      framework that has been cooking for quite some time some new references
      have been introduced to that deprecated function. Replace them with
      calls to `git_buf_dispose`.
      Patrick Steinhardt committed
    • tests: apply: fix missing `cl_git_pass` wrappers · fe215153
      Some function calls in the new "apply" test suite were missing the
      checks whether they succeeded as expected. Fix this by adding the
      missing `cl_git_pass` wrappers.
      Patrick Steinhardt committed
  12. 09 Nov, 2018 1 commit
    • signature: fix out-of-bounds read when parsing timezone offset · 52f859fd
      When parsing a signature's timezone offset, we first check whether there
      is a timezone at all by verifying that there are still bytes left to
      read following the time itself. The check thus looks like `time_end + 1
      < buffer_end`, which is actually correct in this case. After setting the
      timezone's start pointer to that location, we compute the remaining
      bytes by using the formula `buffer_end - tz_start + 1`, re-using the
      previous `time_end + 1`. But this is in fact missing the braces around
      `(tz_start + 1)`, thus leading to an overestimation of the remaining
      bytes by a length of two. In case of a non-NUL terminated buffer, this
      will result in an overflow.
      
      The function `git_signature__parse` is only used in two locations. First
      is `git_signature_from_buffer`, which only accepts a string without a
      length. The string thus necessarily has to be NUL terminated and cannot
      trigger the issue.
      
      The other function is `git_commit__parse_raw`, which can in fact trigger
      the error as it may receive non-NUL terminated commit data. But as
      objects read from the ODB are always NUL-terminated by us as a
      cautionary measure, it cannot trigger the issue either.
      
      In other words, this error does not have any impact on security.
      Patrick Steinhardt committed
  13. 05 Nov, 2018 4 commits
    • apply: test re-adding a file after removing it · f8b9493b
      Ensure that we can add a file back after it's been removed.  Update the
      renamed/deleted validation in application to not apply to deltas that
      are adding files to support this.
      Edward Thomson committed
    • apply: test modifying a file after renaming it · 78580ad3
      Ensure that we cannot modify a file after it's been renamed out of the
      way.  If multiple deltas exist for a single path, ensure that we do not
      attempt to modify a file after it's been renamed out of the way.
      
      To support this, we must track the paths that have been removed or
      renamed; add to a string map when we remove a path and remove from the
      string map if we recreate a path.  Validate that we are not applying to
      a path that is in this map, unless the delta is a rename, since git
      supports renaming one file to two different places in two different
      deltas.
      
      Further, test that we cannot apply a modification delta to a path that
      will be created in the future by a rename (a path that does not yet
      exist.)
      Edward Thomson committed
    • apply: test renaming a file after modifying it · 605066ee
      Multiple deltas can exist in a diff, and can be applied in-order.
      If there exists a delta that modifies a file followed by a delta that
      renames that file, then both will be captured.  The modification delta
      will be applied and the resulting file will be staged with the original
      filename.  The rename delta will be independently applied - to the
      original file (not the modified file from the original delta) and staged
      independently.
      Edward Thomson committed