Pre-receive hook does not behave as expected in the event of a push force

[pierrelalanne]

Environment

• ggshield version: >= 1.13.6 (to have the latest pre-receive scan implementation version)
• Operating system (Linux, macOS, Windows): Any
• Operating system version: Any
• Python version: Any

Describe the bug

When a user reworks a local branch (typically after rebasing the target branch) and makes a push force, the pre-receive hook will list all commits on the remote branch + all commits on the local branch being pushed force. This is not the expected behavior as the commits on the remote branch are already known to the remote, and hence should have already been handled by the pre-receive hook.

Steps to reproduce:

1. Chose a git repository
2. Make two separate clones : one will be called L (local) for convenience, and the other one R (remote).
3. Mark R as being a remote in L : git remote add my_remote PATH_TO_R/.git
4. Add a ggshield pre-receive hook in R : Create a PATH_TO_R/.git/hooks/pre-receive file containing :

#!/bin/sh
set -e
ggshield --verbose --debug secret scan pre-receive

5. Create a branch pre-receive-test in L, add a commit (it has a sha : sha-first-commit), and push to R. GGShield should run and scan only the commit you added.
6. Now, go in R, and add a new commit on the main branch, we'll call its sha sha-commit-main-branch. Go in L, pull changed from main, and rebase pre-receive-test on main. You now have one commit on the pre-receive-test branch, the same as before, but its sha changed because of the rebase. Let's call it sha-first-commit-after-rebase.
7. In L, push force the changes to R : git push -f my_remote
8. GGshield pre-receive hook will do the following (in the logs) : git rev-list --reverse sha-first-commit...sha-first-commit-after-rebase --max-count 51
9. This results in scanning three commits (sha-first-commit, sha-commit-main-branch, sha-first-commit-after-rebase) instead of scanning only one : sha-first-commit-after-rebase.

Actual result:

Commits from both the remote branch and the local branch being pushed force are scanned

Expected result:

Only the commits from the branch being pushed are scanned.

[pierrelalanne]

Comments

This looks a lot like the issue we had a few weeks ago on pre-receive hook scanning all commits when pushing a new branch.
I believe we could apply the same solution : looking up the tip of the branch being pushed.

Also one consideration while having a look at the documentation :
Back when we fixed this pre-receive issue, did we consider leveraging the ^ notation in git rev-list command ? For instance : git rev-list ^sha-commit-a...sha-commit-b will list all commits reachable from sha-commit-b but will exclude all commit reachable from sha-commit-a.