diff mbox series

[scarthgap,2.8,3/4] fetch2/git: quote shallow extra ref arguments

Message ID 6d3f8bd4ddc955b49eaa124e0724ea589da30646.1780697470.git.yoann.congal@smile.fr
State New
Headers show
Series [scarthgap,2.8,1/4] fetch2: validate deb/ipk data member names | expand

Commit Message

Yoann Congal June 5, 2026, 10:12 p.m. UTC 
From: Anders Heimer <anders.heimer@est.tech>

BB_GIT_SHALLOW_EXTRA_REFS can include wildcard entries. Matching refs
advertised by the remote are later passed to git fetch and update-ref
while creating shallow tarballs.

Quote the generated command arguments and pass the fetched ref after --
so shell metacharacters and option-like ref names are not interpreted as
command syntax or git fetch options.

Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9a06f79d9ec767c9d95470be78b006d6fd0d59c)
[YC: Only the quote part of the master patch applies.
The "--" part does not. This part is handled by bin/git-make-shallow
which only pass arguments to git rev-list and rev-parse through arrays]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 lib/bb/fetch2/git.py  |  2 +-
 lib/bb/tests/fetch.py | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/lib/bb/fetch2/git.py b/lib/bb/fetch2/git.py
index a3b1a2ada..d8e31284e 100644
--- a/lib/bb/fetch2/git.py
+++ b/lib/bb/fetch2/git.py
@@ -602,7 +602,7 @@  class Git(FetchMethod):
         shallow_cmd = [self.make_shallow_path, '-s']
         for b in shallow_branches:
             shallow_cmd.append('-r')
-            shallow_cmd.append(b)
+            shallow_cmd.append(shlex.quote(b))
         shallow_cmd.extend(shallow_revisions)
         runfetchcmd(subprocess.list2cmdline(shallow_cmd), d, workdir=dest)
 
diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py
index 37e4eb9f4..2d95ef87d 100644
--- a/lib/bb/tests/fetch.py
+++ b/lib/bb/tests/fetch.py
@@ -2206,6 +2206,36 @@  class GitShallowTest(FetcherTest):
         self.assertRefs(['master', 'origin/master', 'v1.0'])
         self.assertRevCount(1)
 
+    def test_shallow_extra_refs_wildcard_shell_quoted(self):
+        self.add_empty_file('a')
+        marker = os.path.join(self.tempdir, 'ref-command-marker')
+        ref = 'refs/tags/poc;touch${IFS}%s' % marker
+        self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir)
+
+        self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*')
+        self.fetch_shallow()
+
+        self.assertFalse(os.path.exists(marker))
+        self.assertRefs(['master', 'origin/master', ref])
+
+    def test_shallow_extra_refs_wildcard_fetch_options(self):
+        self.add_empty_file('a')
+        marker = os.path.join(self.tempdir, 'ref-option-marker')
+        helper = os.path.join(self.tempdir, 'upload-pack-helper')
+        with open(helper, 'w') as f:
+            f.write('#!/bin/sh\n')
+            f.write('touch "%s"\n' % marker)
+            f.write('exec git-upload-pack "$@"\n')
+        os.chmod(helper, 0o755)
+        ref = 'refs/tags/--upload-pack=%s' % helper
+        self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir)
+
+        self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*')
+        self.fetch_shallow()
+
+        self.assertFalse(os.path.exists(marker))
+        self.assertRefs(['master', 'origin/master', ref])
+
     def test_shallow_missing_extra_refs(self):
         self.add_empty_file('a')
         self.add_empty_file('b')