You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ggshield version: >= 1.13.6 (to have the latest pre-receive scan implementation version)
Operating system (Linux, macOS, Windows): Any
Operating system version: Any
Python version: Any
Describe the bug
When a user reworks a local branch (typically after rebasing the target branch) and makes a push force, the pre-receive hook will list all commits on the remote branch + all commits on the local branch being pushed force. This is not the expected behavior as the commits on the remote branch are already known to the remote, and hence should have already been handled by the pre-receive hook.
Steps to reproduce:
Chose a git repository
Make two separate clones : one will be called L (local) for convenience, and the other one R (remote).
Mark R as being a remote in L : git remote add my_remote PATH_TO_R/.git
Add a ggshield pre-receive hook in R : Create a PATH_TO_R/.git/hooks/pre-receive file containing :
#!/bin/sh
set -e
ggshield --verbose --debug secret scan pre-receive
Create a branch pre-receive-test in L, add a commit (it has a sha : sha-first-commit), and push to R. GGShield should run and scan only the commit you added.
Now, go in R, and add a new commit on the main branch, we'll call its sha sha-commit-main-branch. Go in L, pull changed from main, and rebase pre-receive-test on main. You now have one commit on the pre-receive-test branch, the same as before, but its sha changed because of the rebase. Let's call it sha-first-commit-after-rebase.
In L, push force the changes to R : git push -f my_remote
GGshield pre-receive hook will do the following (in the logs) : git rev-list --reverse sha-first-commit...sha-first-commit-after-rebase --max-count 51
This results in scanning three commits (sha-first-commit, sha-commit-main-branch, sha-first-commit-after-rebase) instead of scanning only one : sha-first-commit-after-rebase.
Actual result:
Commits from both the remote branch and the local branch being pushed force are scanned
Expected result:
Only the commits from the branch being pushed are scanned.
The text was updated successfully, but these errors were encountered:
This looks a lot like the issue we had a few weeks ago on pre-receive hook scanning all commits when pushing a new branch.
I believe we could apply the same solution : looking up the tip of the branch being pushed.
Also one consideration while having a look at the documentation :
Back when we fixed this pre-receive issue, did we consider leveraging the ^ notation in git rev-list command ? For instance : git rev-list ^sha-commit-a...sha-commit-b will list all commits reachable from sha-commit-b but will exclude all commit reachable from sha-commit-a.
Environment
>= 1.13.6
(to have the latest pre-receive scan implementation version)Describe the bug
When a user reworks a local branch (typically after rebasing the target branch) and makes a push force, the pre-receive hook will list all commits on the remote branch + all commits on the local branch being pushed force. This is not the expected behavior as the commits on the remote branch are already known to the remote, and hence should have already been handled by the pre-receive hook.
Steps to reproduce:
git remote add my_remote PATH_TO_R/.git
PATH_TO_R/.git/hooks/pre-receive
file containing :pre-receive-test
in L, add a commit (it has a sha :sha-first-commit
), and push to R. GGShield should run and scan only the commit you added.sha-commit-main-branch
. Go in L, pull changed from main, and rebasepre-receive-test
on main. You now have one commit on thepre-receive-test
branch, the same as before, but its sha changed because of the rebase. Let's call itsha-first-commit-after-rebase
.git push -f my_remote
git rev-list --reverse sha-first-commit...sha-first-commit-after-rebase --max-count 51
sha-first-commit
,sha-commit-main-branch
,sha-first-commit-after-rebase
) instead of scanning only one :sha-first-commit-after-rebase
.Actual result:
Commits from both the remote branch and the local branch being pushed force are scanned
Expected result:
Only the commits from the branch being pushed are scanned.
The text was updated successfully, but these errors were encountered: