Disable local git hooks by default. #1237
Conversation
And added a configuration to enable them again if needed.
github-actions
bot
added
documentation
| However, client-side hooks might be installed in a repository by build steps or by misconfiguration. | ||
| + | ||
| If hook scripts are allowed, a client-side hook script installed in a repository will execute when the matching git operation is performed. | ||
| For example, if hooks are allowed and a git repository includes a `post-checkout` hook, the hook script will run after any checkout in that repository. |
There was a problem hiding this comment.
depending on:
git-clientbecause it won't always when using thejgitprovider on windows, hooks are run on a posix file system, or if you are on a windows filesystem and cygwin or some othersh.exeis detected.
Co-authored-by: James Nord <[email protected]>
|
@jtnord if you have a few minutes, could you help me figure out why the hook isn't working on the windows agents? There is something wrong with a path that I've managed to fix in an earlier version of the test, but it's broken again 😢 |
|
So @yaroslavafenkin did some tests this weekend and apparently the tests passes when run with |
That is enough justification for us to follow the recommendation from @jtnord and disable the |
James Nord recommends that parallel testing be the choice of the user and that it be run through an argument to the mvn command rather than configuring it in the pom file. Since there is a report that the tests fail when forked on Windows, let's follow the recommendation from James and require the user to choose to run parallel tests by command line argument. I don't see the test failure consistently on my Windows computers, but have seen it at least once on them.
|
Interesting... |
|
Now the build is just failing because of timeout. |
But in a way that makes it easier to change from the commandline
|
So the linux-17 test failure is a bit weird. The test times out while waiting for the first build to finish. But the thread dump isn't showing any running executors. The thread dump is taken a few moments later though. But if the build was really stuck it would be really stuck I guess? |
Since the Java 17 test configuration is a very recent addition from #1249 , it may be a case of undetected unreliability. I've started another run of the master branch to provide another data point. I've not seen Java 17 be unstable in multiple test runs in my home environment, but there are still many fewer test jobs that have run with Java 17 than with Java 8 and Java 11. |
|
Green build! Woohooo! 🚢 |
|
@MarkEWaite any thoughts on when this could be merged? I don't know what is more in the pipe, so I'm not sure to merge and release it myself :) |
Thanks for asking. I need to deliver a new git client plugin release with JGit 5.13.1 and can use that as an opportunity to deliver a new git plugin release as well. Let me check with others to assure |
|
@MarkEWaite Slightly strange thing; this PR isn't showing up in the draft release notes for the next release 🤔 |
Thanks for noting it. The release drafter application has been confused by the series of releases that have been generated from branches. I'll assemble the changelog interactively and assure that this is included in the final changelog. |
|
Hi, This change breaks some tools (e.g. https://github.com/elasticdog/transcrypt ) breaks because it has the following contained in it: Later on in the script it contains: As this change sets hooksPath to /dev/null explicitly when disabled this results in the following error: Is it possible to have an option to change this value in the security configuration to something other than |
There is already a security configuration setting that will allow the administrator to allow hooks to be executed on checkout. If you need something like transcrypt, allow repository hooks to be executed by enabling them on agents. See the documentation for more details. If that doesn't address your question, could you explain further what you are requesting? |
|
Yeah I've read it there. The problem is I can now only choose between disabling all hooks or enabling all of them. If I could specify a custom directory in the settings I could keep only approved hooks in that directory, which would give a bit more leeway. |
Sorry, but I'm not willing to add that level of configuration to the plugin. |
|
I understand. |
|
Are we aware doing this also brake |
See JENKINS-69760 for the details related to |
|
FYI: The solution in JENKINS-69760 and its assumption excluding these case:
|
Yes, agents that do not pre-configure Yes, there are times when we make changes that break existing users in order to better protect those users from newly discovered threats. Disabling hook scripts is a safeguard against malicious hooks. Administrators that don't want the safeguard can allow hook scripts. The default of disallowing hook scripts is the safest for the user community as a whole.
Projects that need fine grain control of the behavior of |
|
Thank Mark for explain, in fact I had attempt doing all of that. However, your plug-in have nice logic that notify the correct BB server.... if I don't use it, I muse make my own that would be in sane. |
It seems to me that you're refusing to take the easy choices and seem to be focused on choosing the difficult paths unnecessarily. Easy paths:
Instead, you said
Reverting a change to a plugin is a lot of work. While it is open source and you're welcome to do that, I see no reason why you would do that. Use the settings that already exist in the plugin global configuration to allow git hooks to be executed. |
|
May be what I try to said is all most issues that I have boil down to this cool plug-in :-). And the solution for my use case is allow environment configurations to overwrite the default behaviors just like the way git been doing with gitconfig files (and backward compatible git config commands), and the environment variables. Giving that I'm not Jenkins Admin, and I like my CI/CD jobs run on multiple environment (Jenkins, local developer machine, VM machine etc....) The simple way to solve environment difference or said infrastructure differences are via a Properties File that define a set of environment variables that guide CI/CD script run correctly. And git had been perfect for me. However, I recently discovered that may solution are stop working when using this cool plug-in.
So just via environment I could make all my 1 years old commits now still work within any modification into the repository by temporary tell them use a temporary configurations. Same way I could have fine grain control how git work because the fact that git do not scale well in some areas (reference https://stackoverflow.com/questions/984707/what-are-the-file-limits-in-git-number-and-size). I hope this explain it... and please forgive my language as I'm a terrible communication. |
|
Aside the above. |
|
@nhatkhai Thanks for the comments, ticket and infos. That was our problem too updating our Jenkins. I think this #1237 should be in the release notes as a breaking changes.
|
|
One note that Gerrit SCM requires a change-id that is typically generated via commit-hook - operations that are running on the agent and manually configuring this hook post-checkout are broken without configuring this to allow agents to use githooks. |
I believe that means that users of Gerrit SCM will need to follow the instructions from the documentation and from the pull request description. The pull request description says:
|
We figured that out as soon as we found this merge request. If someone using Gerrit suddenly finds their operations broken as part of updates, they'll have to figure out which plugin is causing this issue - adding some commentary here will hopefully save them time when trying to figure it out. |
Disable local git hooks by default.
The security fixes released on 2022-02-15 fixed all known ways of utilizing git hooks to do nefarious things on a Jenkins Controller. But there might be other ways in that we don't yet know of.
So this is a security hardening/feature that turns off the execution of local git hooks whenever the plugin initializes a new repository both on the controller and on agents.
Hooks can be enabled again by a configuration on the security page.
Checklist
Types of changes
What types of changes does your code introduce?
Further comments