forgejo/services
wxiaoguang 6bc3079c00
Refactor git command package to improve security and maintainability (#22678)
This PR follows #21535 (and replace #22592)

## Review without space diff

https://github.com/go-gitea/gitea/pull/22678/files?diff=split&w=1

## Purpose of this PR

1. Make git module command completely safe (risky user inputs won't be
passed as argument option anymore)
2. Avoid low-level mistakes like
https://github.com/go-gitea/gitea/pull/22098#discussion_r1045234918
3. Remove deprecated and dirty `CmdArgCheck` function, hide the `CmdArg`
type
4. Simplify code when using git command

## The main idea of this PR

* Move the `git.CmdArg` to the `internal` package, then no other package
except `git` could use it. Then developers could never do
`AddArguments(git.CmdArg(userInput))` any more.
* Introduce `git.ToTrustedCmdArgs`, it's for user-provided and already
trusted arguments. It's only used in a few cases, for example: use git
arguments from config file, help unit test with some arguments.
* Introduce `AddOptionValues` and `AddOptionFormat`, they make code more
clear and simple:
    * Before: `AddArguments("-m").AddDynamicArguments(message)`
    * After: `AddOptionValues("-m", message)`
    * -
* Before: `AddArguments(git.CmdArg(fmt.Sprintf("--author='%s <%s>'",
sig.Name, sig.Email)))`
* After: `AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)`

## FAQ

### Why these changes were not done in #21535 ?

#21535 is mainly a search&replace, it did its best to not change too
much logic.

Making the framework better needs a lot of changes, so this separate PR
is needed as the second step.


### The naming of `AddOptionXxx`

According to git's manual, the `--xxx` part is called `option`.

### How can it guarantee that `internal.CmdArg` won't be not misused?

Go's specification guarantees that. Trying to access other package's
internal package causes compilation error.

And, `golangci-lint` also denies the git/internal package. Only the
`git/command.go` can use it carefully.

### There is still a `ToTrustedCmdArgs`, will it still allow developers
to make mistakes and pass untrusted arguments?

Generally speaking, no. Because when using `ToTrustedCmdArgs`, the code
will be very complex (see the changes for examples). Then developers and
reviewers can know that something might be unreasonable.

### Why there was a `CmdArgCheck` and why it's removed?

At the moment of #21535, to reduce unnecessary changes, `CmdArgCheck`
was introduced as a hacky patch. Now, almost all code could be written
as `cmd := NewCommand(); cmd.AddXxx(...)`, then there is no need for
`CmdArgCheck` anymore.


### Why many codes for `signArg == ""` is deleted?

Because in the old code, `signArg` could never be empty string, it's
either `-S[key-id]` or `--no-gpg-sign`. So the `signArg == ""` is just
dead code.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-04 10:30:43 +08:00
..
actions Add more events details supports for actions (#22680) 2023-02-01 13:32:46 +08:00
agit Rename almost all Ctx functions (#22071) 2022-12-10 10:46:31 +08:00
asymkey Supports wildcard protected branch (#20825) 2023-01-16 16:00:22 +08:00
attachment Add API management for issue/pull and comment attachments (#21783) 2022-12-09 14:35:56 +08:00
auth Fix group filter for ldap source sync (#22506) 2023-02-02 15:45:00 +08:00
automerge Improve trace logging for pulls and processes (#22633) 2023-02-03 18:11:48 -05:00
context Support org/user level projects (#22235) 2023-01-20 19:42:33 +08:00
convert Fix pull request API field closed_at always being null (#22482) 2023-01-17 11:42:32 +00:00
cron Refactor git command package to improve security and maintainability (#22678) 2023-02-04 10:30:43 +08:00
externalaccount Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
forms Add Conda package registry (#22262) 2023-02-01 12:30:39 -06:00
gitdiff Refactor git command package to improve security and maintainability (#22678) 2023-02-04 10:30:43 +08:00
issue Webhooks: for issue close/reopen action, add commit ID that caused it (#22583) 2023-01-24 23:47:53 -05:00
lfs Use context parameter in models/git (#22367) 2023-01-09 11:50:54 +08:00
mailer fix permission check for creating comment while mail (#22524) 2023-01-28 17:28:55 +08:00
markup Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
migrations Prevent duplicate labels when importing more than 99 (#22591) 2023-01-24 19:44:55 +00:00
mirror Refactor git command package to improve security and maintainability (#22678) 2023-02-04 10:30:43 +08:00
org Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
packages Add Conda package registry (#22262) 2023-02-01 12:30:39 -06:00
pull Refactor git command package to improve security and maintainability (#22678) 2023-02-04 10:30:43 +08:00
release Add API management for issue/pull and comment attachments (#21783) 2022-12-09 14:35:56 +08:00
repository Refactor git command package to improve security and maintainability (#22678) 2023-02-04 10:30:43 +08:00
task Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
user Unify hashing for avatar (#22289) 2023-01-02 22:46:39 +01:00
webhook Webhooks: for issue close/reopen action, add commit ID that caused it (#22583) 2023-01-24 23:47:53 -05:00
wiki Improve utils of slices (#22379) 2023-01-11 13:31:16 +08:00