wip the sandbox script is read from HEAD:.hooks/pre-receive.js

Author: billiegoose

demo.git/index

@@ -1,2 +1,5 @@
 0000000000000000000000000000000000000000 71c666705d861b556d73f2badddaca0cfcf5e930 William Hilton <[email protected]> 1574741587 -0500	commit (initial): Initial commit
 0000000000000000000000000000000000000000 b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 William Hilton <[email protected]> 1575084779 -0500	commit (initial): Initial commit
+b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 d76ea2f1501e44ac5c29a091e17903b6a33fc57f William Hilton <[email protected]> 1575685262 -0500	commit: add pre-receive hook
+d76ea2f1501e44ac5c29a091e17903b6a33fc57f ee27a42768a70831127fca08ccc9df7b13f0f81e William Hilton <[email protected]> 1575686304 -0500	commit (amend): add pre-receive hook
+ee27a42768a70831127fca08ccc9df7b13f0f81e 59eabecab1988d343a2cc8c054a56d5e6cb3bd89 William Hilton <[email protected]> 1575686347 -0500	commit (amend): add pre-receive hook

demo.git/logs/HEAD

@@ -1,2 +1,5 @@
 0000000000000000000000000000000000000000 71c666705d861b556d73f2badddaca0cfcf5e930 William Hilton <[email protected]> 1574741587 -0500	commit (initial): Initial commit
 0000000000000000000000000000000000000000 b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 William Hilton <[email protected]> 1575084779 -0500	commit (initial): Initial commit
+b1f9a9a2689e95d8aaf9d2ed5513fe78f4c53901 d76ea2f1501e44ac5c29a091e17903b6a33fc57f William Hilton <[email protected]> 1575685262 -0500	commit: add pre-receive hook
+d76ea2f1501e44ac5c29a091e17903b6a33fc57f ee27a42768a70831127fca08ccc9df7b13f0f81e William Hilton <[email protected]> 1575686304 -0500	commit (amend): add pre-receive hook
+ee27a42768a70831127fca08ccc9df7b13f0f81e 59eabecab1988d343a2cc8c054a56d5e6cb3bd89 William Hilton <[email protected]> 1575686347 -0500	commit (amend): add pre-receive hook

demo.git/logs/refs/heads/master

@@ -0,0 +1,2 @@
+# pack-refs with: peeled fully-peeled sorted 
+59eabecab1988d343a2cc8c054a56d5e6cb3bd89 refs/heads/master

demo.git/objects/4b/825dc642cb6eb9a060e54bf8d69288fbee4904

@@ -0,0 +1,72 @@
+(async () => {
+  function abbr (oid) {
+    return oid.slice(0, 7)
+  }
+
+  // Verify objects (ideally we'd do this _before_ moving it into the repo... but I think we'd need a custom 'fs' implementation with overlays)
+  console.log('\nVerifying objects...\n')
+  let i = 0
+
+  for (const oid of oids) {
+    i++
+    console.log(`\rVerifying object ${i}/${oids.length}`)
+    const { type, object } = await git.readObject({ oid })
+    if (type === 'commit' || type === 'tag') {
+      const email = type === 'commit' ? object.author.email : object.tagger.email
+      console.log(`\nVerifying ${type} ${abbr(oid)} by ${email}: `)
+      let keys
+      try {
+        keys = await pgp.lookup(email) 
+      } catch (e) {
+        console.log(`no keys found 👎\n`)
+        console.error(`\nSignature verification failed for ${type} ${abbr(oid)}. Key lookup for ${email} threw an error.\n`)
+        return
+      }
+      if (keys.length === 0) {
+        console.log(`no keys found 👎\n`)
+        console.error(`\nSignature verification failed for ${type} ${abbr(oid)}. No PGP keys could be found for ${email}.\n`)
+        return
+      }
+      let ok = false
+      for (const key of keys) {
+        let result
+        try {
+          result = await git.verify({ ref: oid, publicKeys: key })
+        } catch (e) {
+          if (e.code && e.code === git.E.NoSignatureError) {
+            console.log(`no signature 👎\n`)
+            console.error(e.message + `
+  
+  This server's policy is to only accept GPG-signed commits.
+  Learn how you can create a GPG key and configure git to sign commits here:
+  https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
+  `)
+            return
+          } else {
+            console.error(e.message + '\n' + e.stack)
+            return
+          }
+        }
+        if (result === false) {
+          pgp.demote(email, key)
+        } else {
+          console.log(`signed with ${result[0]} 👍\n`)
+          ok = true
+          break
+        }
+      }
+      if (!ok) {
+        console.log(`no keys matched 👎\n`)
+        console.error(`\nSignature verification failed for ${type} ${abbr(oid)}. It was not signed with a key publicly associated with the email address "${email}".
+
+Learn how you can associate your GPG key with your email account using GitHub here:
+https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
+`)
+        return
+      }
+    }
+  }
+
+  console.log(`\nVerification complete`)
+  done()
+})()

demo.git/objects/b1/f9a9a2689e95d8aaf9d2ed5513fe78f4c53901

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-// Standalone server for use without karma!
 var http = require('http')
 var factory = require('./middleware')
 var cors = require('./cors')
@@ -8,3 +7,5 @@ var config = {}
 
 var server = http.createServer(cors(factory(config)))
 server.listen(process.env.GIT_HTTP_MOCK_SERVER_PORT || 8174)
+
+console.log(require('./logo.js'))

demo.git/packed-refs

@@ -1,27 +1,3 @@
 var figlet = require('figlet');
 
 module.exports = figlet.textSync('GitServer', { font: 'Cyberlarge' })
-
-if (!module.parent) {
-  console.log(module.exports)
-}
-
-console.log(`
-                          @@@@@@@@@@@@@@@@@@          
-                              @@@    @@@               
-                                @@  @@      @@         
-                                @@  @@      @@         
-                   @@@@@@@@@@   @@  @@   @@@@@@@@@     
-                  @@    @@@     @@  @@      @@        
-                 @@      @@     @@  @@      @@         
-                  @@    @@@     @@  @@      @@         
-                  @@@@@@@@      @@  @@      @@         
-                 @@             @@  @@      @@        
-                  @@@@@@@@@     @@  @@      @@        
-                 @@       @@@   @@  @@      @@        
-                @@@       @@    @@  @@      @@@       
-                  @@@@@@@@@     @@  @@        @@@@     
-                              @@@    @@@                
-                          @@@@@@@@@@@@@@@@@@          
-                                                       
-                                                       `)

demo.git/refs/heads/master

@@ -3,7 +3,7 @@ const fp = require('fs').promises
 const path = require('path')
 const url = require('url')
 const EventEmitter = require('events').EventEmitter
-const { E, indexPack, plugins, readObject, verify, serveInfoRefs, serveReceivePack, parseReceivePackRequest } = require('isomorphic-git')
+const { E, indexPack, plugins, readObject, resolveRef, serveInfoRefs, serveReceivePack, parseReceivePackRequest } = require('isomorphic-git')
 const { pgp } = require('@isomorphic-git/pgp-plugin')
 
 let ee = new EventEmitter()
@@ -29,9 +29,15 @@ const sleep = ms => new Promise(cb => setTimeout(cb, ms))
 
 const tick = () => new Promise(cb => process.nextTick(cb))
 
-function log(req, res) {
+function logIncoming(req, res) {
   const color = res.statusCode > 399 ? chalk.red : chalk.green
-  console.log(color(`[git-server] ${res.statusCode} ${pad(req.method)} ${req.url}`))
+  console.log(`    ${pad(req.method)} ${req.url}`)
+  return false
+}
+
+function logOutgoing(req, res) {
+  const color = res.statusCode > 399 ? chalk.red : chalk.green
+  console.log(color(`${res.statusCode} ${pad(req.method)} ${req.url}`))
   return false
 }
 
@@ -40,6 +46,8 @@ function factory (config) {
     const u = url.parse(req.url, true)
     if (!next) next = () => void(0)
 
+    logIncoming(req, res)
+
     if (is.preflightInfoRefs(req, u)) {
       res.statusCode = 204
       res.end('')
@@ -89,7 +97,6 @@ function factory (config) {
           await fp.rename(path.join(dir, oldfilepath), path.join(dir, filepath))
         }
         const core = gitdir + '-' + String(Math.random()).slice(2, 8)
-        console.log('core', core)
         gitdir = path.join(__dirname, gitdir)
 
         // send HTTP response headers
@@ -98,7 +105,6 @@ function factory (config) {
 
         // index packfile
         res.write(await serveReceivePack({ type: 'print', message: 'Indexing packfile...' }))
-        console.log('Indexing packfile...')
         await tick()
         let currentPhase = null
         const listener = async ({ phase, loaded, total, lengthComputable }) => {
@@ -132,10 +138,18 @@ function factory (config) {
         await fp.rmdir(path.join(dir))
 
         // Run pre-receive-hook
-        res.write(await serveReceivePack({ type: 'print', message: '\nRunning pre-receive-hook\n' }))
+        res.write(await serveReceivePack({ type: 'print', message: '\nRunning pre-receive hook\n' }))
         await tick()
-        const script = fs.readFileSync('./pre-receive-hook.js', 'utf8')
-        await sandbox({ core, dir, gitdir, res, oids, script })
+        let script
+        try {
+          const oid = await resolveRef({ gitdir, ref: 'HEAD' })
+          const { object } = await readObject({ gitdir, oid, filepath: '.hooks/pre-receive.js', encoding: 'utf8' })
+          script = object
+        } catch (e) {
+          console.log(e)
+          script = fs.readFileSync('./pre-receive-hook.js', 'utf8')
+        }
+        await sandbox({ name: 'pre-receive.js', core, dir, gitdir, res, oids, updates, script })
 
         // refs
         for (const update of updates) {
@@ -148,15 +162,16 @@ function factory (config) {
         if (e.message === 'Client is done') {
           res.statusCode = 200
         } else {
-          res.write(await serveReceivePack({ type: 'error', message: e.message }))
+          res.write(await serveReceivePack({ type: 'error', message: `${e.message}\n${e.stack}` }))
         }
       } finally {
         // fin
         res.write(await serveReceivePack({ type: 'fin' }))
         res.end('')
       }
     }
-    log(req, res)
+
+    logOutgoing(req, res)
   }
 }
 

demo/.hooks/pre-receive.js

@@ -9,7 +9,7 @@ const { lookup, demote } = require('./lookup.js')
 
 const curry = ({ core, dir, gitdir }) => fn => argObject => fn({ ...argObject, core, dir, gitdir })
 
-const sandbox = ({ core, dir, gitdir, res, script, oids }) => {
+const sandbox = ({ name, core, dir, gitdir, res, oids, updates, script }) => {
   let ee = new EventEmitter()
   plugincore = git.cores.create(core)
   plugincore.set('emitter', ee)
@@ -46,7 +46,7 @@ const sandbox = ({ core, dir, gitdir, res, script, oids }) => {
       log: async (...args) => {
         res.write(await git.serveReceivePack({ type: 'print', message: args.join() }))
       },
-      fatal: (...args) => {
+      error: (...args) => {
         reject(new Error(args.join()))
       }
     }
@@ -55,15 +55,16 @@ const sandbox = ({ core, dir, gitdir, res, script, oids }) => {
       eval: false,
       wasm: false,
       sandbox: {
+        updates,
+        oids,
         git: $git,
         pgp: { lookup, demote },
-        done: resolve,
+        done: (err) => err ? reject(err) : resolve(),
         console: $console,
-        oids
       }
     });
     try {
-      script = new VMScript(script).compile();
+      script = new VMScript(script, name).compile();
     } catch (err) {
       reject(err);
     }