git/t/t6700-tree-depth.sh

#!/bin/sh

test_description='handling of deep trees in various commands'

TEST_PASSES_SANITIZE_LEAK=true
. ./test-lib.sh

# We'll test against two depths here: a small one that will let us check the
# behavior of the config setting easily, and a large one that should be
# forbidden by default. Testing the default depth will let us know whether our
# default is enough to prevent segfaults on systems that run the tests.
small_depth=50
big_depth=4100

small_ok="-c core.maxtreedepth=$small_depth"
small_no="-c core.maxtreedepth=$((small_depth-1))"

# usage: mkdeep <name> <depth>
#   Create a tag <name> containing a file whose path has depth <depth>.
#
# We'll use fast-import here for two reasons:
#
#   1. It's faster than creating $big_depth tree objects.
#
#   2. As we tighten tree limits, it's more likely to allow large sizes
#      than trying to stuff a deep path into the index.
mkdeep () {
	{
		echo "commit refs/tags/$1" &&
		echo "committer foo <foo@example.com> 1234 -0000" &&
		echo "data <<EOF" &&
		echo "the commit message" &&
		echo "EOF" &&

		printf 'M 100644 inline ' &&
		i=0 &&
		while test $i -lt $2
		do
			printf 'a/'
			i=$((i+1))
		done &&
		echo "file" &&

		echo "data <<EOF" &&
		echo "the file contents" &&
		echo "EOF" &&
		echo
	} | git fast-import
}

test_expect_success 'create small tree' '
	mkdeep small $small_depth
'

test_expect_success 'create big tree' '
	mkdeep big $big_depth
'

test_expect_success 'limit recursion of git-archive' '
	git $small_ok archive small >/dev/null &&
	test_must_fail git $small_no archive small >/dev/null
'

test_expect_success 'default limit for git-archive fails gracefully' '
	test_must_fail git archive big >/dev/null
'

test_expect_success 'limit recursion of ls-tree -r' '
	git $small_ok ls-tree -r small &&
	test_must_fail git $small_no ls-tree -r small
'

test_expect_success 'default limit for ls-tree fails gracefully' '
	test_must_fail git ls-tree -r big >/dev/null
'

test_expect_success 'limit recursion of rev-list --objects' '
	git $small_ok rev-list --objects small >/dev/null &&
	test_must_fail git $small_no rev-list --objects small >/dev/null
'

test_expect_success 'default limit for rev-list fails gracefully' '
	test_must_fail git rev-list --objects big >/dev/null
'

test_expect_success 'limit recursion of diff-tree -r' '
	git $small_ok diff-tree -r $EMPTY_TREE small &&
	test_must_fail git $small_no diff-tree -r $EMPTY_TREE small
'

test_expect_success 'default limit for diff-tree fails gracefully' '
	test_must_fail git diff-tree -r $EMPTY_TREE big
'

test_done
traverse_trees(): respect max_allowed_tree_depth The tree-walk.c code walks trees recursively, and may run out of stack space. The easiest way to see this is with git-archive; on my 64-bit Linux system it runs out of stack trying to generate a tarfile with a tree depth of 13,772. I've picked 4100 as the depth for our "big" test. I ran it with a much higher value to confirm that we do get a segfault without this patch. But really anything over 4096 is sufficient for its stated purpose, which is to find out if our default limit of 4096 is low enough to prevent segfaults on all platforms. Keeping it small saves us time on the test setup. The tree-walk code that's touched here underlies unpack_trees(), so this protects any programs which use it, not just git-archive (but archive is easy to test, and was what alerted me to this issue in a real-world case). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-31 06:21:40 +00:00			`#!/bin/sh`

			`test_description='handling of deep trees in various commands'`
t6700: mark test as leak-free This test has never leaked since it was added. Let's annotate it to make sure it stays that way (and to reduce noise when looking for other leak-free scripts after we fix some leaks). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-10-03 20:26:09 +00:00
			`TEST_PASSES_SANITIZE_LEAK=true`
traverse_trees(): respect max_allowed_tree_depth The tree-walk.c code walks trees recursively, and may run out of stack space. The easiest way to see this is with git-archive; on my 64-bit Linux system it runs out of stack trying to generate a tarfile with a tree depth of 13,772. I've picked 4100 as the depth for our "big" test. I ran it with a much higher value to confirm that we do get a segfault without this patch. But really anything over 4096 is sufficient for its stated purpose, which is to find out if our default limit of 4096 is low enough to prevent segfaults on all platforms. Keeping it small saves us time on the test setup. The tree-walk code that's touched here underlies unpack_trees(), so this protects any programs which use it, not just git-archive (but archive is easy to test, and was what alerted me to this issue in a real-world case). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-31 06:21:40 +00:00			`. ./test-lib.sh`

			`# We'll test against two depths here: a small one that will let us check the`
			`# behavior of the config setting easily, and a large one that should be`
			`# forbidden by default. Testing the default depth will let us know whether our`
			`# default is enough to prevent segfaults on systems that run the tests.`
			`small_depth=50`
			`big_depth=4100`

			`small_ok="-c core.maxtreedepth=$small_depth"`
			`small_no="-c core.maxtreedepth=$((small_depth-1))"`

			`# usage: mkdeep <name> <depth>`
			`# Create a tag <name> containing a file whose path has depth <depth>.`
			`#`
			`# We'll use fast-import here for two reasons:`
			`#`
			`# 1. It's faster than creating $big_depth tree objects.`
			`#`
			`# 2. As we tighten tree limits, it's more likely to allow large sizes`
			`# than trying to stuff a deep path into the index.`
			`mkdeep () {`
			`{`
			`echo "commit refs/tags/$1" &&`
			`echo "committer foo <foo@example.com> 1234 -0000" &&`
			`echo "data <<EOF" &&`
			`echo "the commit message" &&`
			`echo "EOF" &&`

			`printf 'M 100644 inline ' &&`
			`i=0 &&`
			`while test $i -lt $2`
			`do`
			`printf 'a/'`
			`i=$((i+1))`
			`done &&`
			`echo "file" &&`

			`echo "data <<EOF" &&`
			`echo "the file contents" &&`
			`echo "EOF" &&`
			`echo`
			`} \| git fast-import`
			`}`

			`test_expect_success 'create small tree' '`
			`mkdeep small $small_depth`
			`'`

			`test_expect_success 'create big tree' '`
			`mkdeep big $big_depth`
			`'`

			`test_expect_success 'limit recursion of git-archive' '`
			`git $small_ok archive small >/dev/null &&`
			`test_must_fail git $small_no archive small >/dev/null`
			`'`

			`test_expect_success 'default limit for git-archive fails gracefully' '`
			`test_must_fail git archive big >/dev/null`
			`'`

read_tree(): respect max_allowed_tree_depth The read_tree() function reads trees recursively (via its read_tree_at() helper). This can cause it to run out of stack space on very deep trees. Let's teach it about the new core.maxTreeDepth option. The easiest way to demonstrate this is via "ls-tree -r", which the test covers. Note that I needed a tree depth of ~30k to trigger a segfault on my Linux system, not the 4100 used by our "big" test in t6700. However, that test still tells us what we want: that the default 4096 limit is enough to prevent segfaults on all platforms. We could bump it, but that increases the cost of the test setup for little gain. As an interesting side-note: when I originally wrote this patch about 4 years ago, I needed a depth of ~50k to segfault. But porting it forward, the number is much lower. Seemingly little things like cf0983213c (hash: add an algo member to struct object_id, 2021-04-26) take it from 32,722 to 29,080. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-31 06:21:55 +00:00			`test_expect_success 'limit recursion of ls-tree -r' '`
			`git $small_ok ls-tree -r small &&`
			`test_must_fail git $small_no ls-tree -r small`
			`'`

			`test_expect_success 'default limit for ls-tree fails gracefully' '`
			`test_must_fail git ls-tree -r big >/dev/null`
			`'`

list-objects: respect max_allowed_tree_depth The tree traversal in list-objects.c, which is used by "rev-list --objects", etc, uses recursion and may run out of stack space. Let's teach it about the new core.maxTreeDepth config option. We unfortunately can't return an error here, as this code doesn't produce an error return at all. We'll die() instead, which matches the behavior when we see an otherwise broken tree. Note that this will also generally reject such deep trees from entering the repository from a fetch or push, due to the use of rev-list in the connectivity check. But it's not foolproof! We stop traversing when we see an UNINTERESTING object, and the connectivity check marks existing ref tips as UNINTERESTING. So imagine commit X has a tree with maximum depth N. If you then create a new commit Y with a tree entry "Y:subdir" that points to "X^{tree}", then the depth of Y will be N+1. But a connectivity check running "git rev-list --objects Y --not X" won't realize that; it will stop traversing at X^{tree}, since that was already reachable. So this will stop naive pushes of too-deep trees, but not carefully crafted malicious ones. Doing it robustly and efficiently would require caching the maximum depth of each tree (i.e., the longest path to any leaf entry). That's much more complex and not strictly needed. If each recursive algorithm limits itself already, then that's sufficient. Blocking the objects from entering the repo would be a nice belt-and-suspenders addition, but it's not worth the extra cost. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-31 06:22:03 +00:00			`test_expect_success 'limit recursion of rev-list --objects' '`
			`git $small_ok rev-list --objects small >/dev/null &&`
			`test_must_fail git $small_no rev-list --objects small >/dev/null`
			`'`

			`test_expect_success 'default limit for rev-list fails gracefully' '`
			`test_must_fail git rev-list --objects big >/dev/null`
			`'`

tree-diff: respect max_allowed_tree_depth When diffing trees, we recurse to handle subtrees. That means we may run out of stack space and segfault. Let's teach this code path about core.maxTreeDepth in order to fail more gracefully. As with the previous patch, we have no way to return an error (and other tree-loading problems would just cause us to die()). So we'll likewise call die() if we exceed the maximum depth. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-31 06:22:08 +00:00			`test_expect_success 'limit recursion of diff-tree -r' '`
			`git $small_ok diff-tree -r $EMPTY_TREE small &&`
			`test_must_fail git $small_no diff-tree -r $EMPTY_TREE small`
			`'`

			`test_expect_success 'default limit for diff-tree fails gracefully' '`
			`test_must_fail git diff-tree -r $EMPTY_TREE big`
			`'`

traverse_trees(): respect max_allowed_tree_depth The tree-walk.c code walks trees recursively, and may run out of stack space. The easiest way to see this is with git-archive; on my 64-bit Linux system it runs out of stack trying to generate a tarfile with a tree depth of 13,772. I've picked 4100 as the depth for our "big" test. I ran it with a much higher value to confirm that we do get a segfault without this patch. But really anything over 4096 is sufficient for its stated purpose, which is to find out if our default limit of 4096 is low enough to prevent segfaults on all platforms. Keeping it small saves us time on the test setup. The tree-walk code that's touched here underlies unpack_trees(), so this protects any programs which use it, not just git-archive (but archive is easy to test, and was what alerted me to this issue in a real-world case). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-08-31 06:21:40 +00:00			`test_done`