@@ -644,9 +644,11 @@ class Git(FetchMethod):
for ref in extra_refs:
ref_fetch = ref.replace('refs/heads/', '').replace('refs/remotes/origin/', '').replace('refs/tags/', '')
- runfetchcmd("%s fetch origin --depth 1 %s" % (ud.basecmd, ref_fetch), d, workdir=dest)
+ runfetchcmd("%s fetch origin --depth 1 -- %s" %
+ (ud.basecmd, shlex.quote(ref_fetch)), d, workdir=dest)
revision = runfetchcmd("%s rev-parse FETCH_HEAD" % ud.basecmd, d, workdir=dest)
- runfetchcmd("%s update-ref %s %s" % (ud.basecmd, ref, revision), d, workdir=dest)
+ runfetchcmd("%s update-ref %s %s" %
+ (ud.basecmd, shlex.quote(ref), revision), d, workdir=dest)
# The url is local ud.clonedir, set it to upstream one
runfetchcmd("%s remote set-url origin %s" % (ud.basecmd, shlex.quote(repourl)), d, workdir=dest)
@@ -2065,6 +2065,36 @@ class GitShallowTest(FetcherTest):
self.assertRefs(['master', 'origin/master', 'v1.0'])
self.assertRevCount(1)
+ def test_shallow_extra_refs_wildcard_shell_quoted(self):
+ self.add_empty_file('a')
+ marker = os.path.join(self.tempdir, 'ref-command-marker')
+ ref = 'refs/tags/poc;touch${IFS}%s' % marker
+ self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir)
+
+ self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*')
+ self.fetch_shallow()
+
+ self.assertFalse(os.path.exists(marker))
+ self.assertRefs(['master', 'origin/master', ref])
+
+ def test_shallow_extra_refs_wildcard_fetch_options(self):
+ self.add_empty_file('a')
+ marker = os.path.join(self.tempdir, 'ref-option-marker')
+ helper = os.path.join(self.tempdir, 'upload-pack-helper')
+ with open(helper, 'w') as f:
+ f.write('#!/bin/sh\n')
+ f.write('touch "%s"\n' % marker)
+ f.write('exec git-upload-pack "$@"\n')
+ os.chmod(helper, 0o755)
+ ref = 'refs/tags/--upload-pack=%s' % helper
+ self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir)
+
+ self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*')
+ self.fetch_shallow()
+
+ self.assertFalse(os.path.exists(marker))
+ self.assertRefs(['master', 'origin/master', ref])
+
def test_shallow_missing_extra_refs(self):
self.add_empty_file('a')
self.add_empty_file('b')
BB_GIT_SHALLOW_EXTRA_REFS can include wildcard entries. Matching refs advertised by the remote are later passed to git fetch and update-ref while creating shallow tarballs. Quote the generated command arguments and pass the fetched ref after -- so shell metacharacters and option-like ref names are not interpreted as command syntax or git fetch options. Signed-off-by: Anders Heimer <anders.heimer@est.tech> --- lib/bb/fetch2/git.py | 6 ++++-- lib/bb/tests/fetch.py | 30 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-)