Update the git pre-receive hook to ensure that code hasn't changed before being pushed.
Review Request #13282 — Created Oct. 6, 2023 and updated — Latest diff uploaded
There's currentyly a code security concern with Review Board: code can be
approved in Review Board, but then altered and pushed to a remote repository,
without any way to block this.This concern can be addressed using repository hooks. This change updates our
Git pre-receive script to ensure that the files and diffs on the user's
machine matches the files and diffs posted on the review request. To do this,
we compare the local diff to the diff posted on the review request, and
compare the local patched file's SHA with the SHA stored on the Review
Board server. For binary files, only the diffs get compared since we don't
store patched file SHAs for them.The script already checks for review request approval, so this ensures that
only approved code can be pushed.This only solves the concern for Git repositories. In the future we can
apply the same idea for our Perforce script.
- Tested running the script locally and set up as a server side hook script
for a GitLab repository for the following cases: - With a review request containing multiple commits where files match,
and where at least one file doesn't match. - With a review request containing one commit where files match,
and where at least one file doesn't match. - When unable to generate a local diff.
- When unable to fetch the diff from the Review Board server.
- When unable to load the file diff's
patched_sha256
and/orpatched_sha1
file. - Tested with text-based files that end with newlines, and ones that don't end
with newlines. - Tested with binary files (image files).
- Tested with git blob SHAs in a diff not matching the ones posted on the
review request, and was able to push the changes for that review request.
contrib/tools/git-hook-check-approval |
---|
rbtools/hooks/common.py |
---|
rbtools/hooks/git.py |
---|
rbtools/utils/encoding.py |
---|