Skip to content

Commits being passed to custom hooks already reachable when using the UI

Hi,

we've installed a custom hook and recently discovered that it's not firing when using the UI to make changes. When pushing over ssh these same hooks work fine, so we know the hook itself works.

When debugging, we found out the hook actually does fire, but somehow the commit is not being checked. We think this used to work in the past although we're not a hundred percent sure about this.

We're currently on 8.9.5-ee with gitlab-shell v3.0.0 and gitlab-workhorse v0.7.5.

To reproduce: Add the following as a custom pre-receive hook (Note that because of the exit this hook will always fail)

#!/bin/bash

INPUT="$(cat -)"
echo "======================================================================="             > /tmp/hook_$(date +%s).out
echo \"${INPUT}\"                                                                          >> /tmp/hook_$(date +%s).out
echo "======================================================================="             >> /tmp/hook_$(date +%s).out
git rev-list $(echo "${INPUT}" | awk '{print $2}') --not --all                             >> /tmp/hook_$(date +%s).out
echo "======================================================================="             >> /tmp/hook_$(date +%s).out
git rev-list $(echo "${INPUT}" | awk '{print $1}')...$(echo "${INPUT}" | awk '{print $2}') >> /tmp/hook_$(date +%s).out
echo "======================================================================="             >> /tmp/hook_$(date +%s).out
exit 1

Clone the project and make a change:

echo "testing hook" > testfile
git add testfile
git commit -m"Testing hook"
git push

The commit will be rejected.

Check the output of the file in /tmp created by the hook, output should be like:

=======================================================================
"1450c75c6ca0760cd2aecd13cc0192e5e3376966 9ffcb2c5361a6a2b8ae0b2688968f9dda5b1f758 refs/heads/master"
=======================================================================
9ffcb2c5361a6a2b8ae0b2688968f9dda5b1f758
=======================================================================
9ffcb2c5361a6a2b8ae0b2688968f9dda5b1f758
=======================================================================

Now try to make the same change using the UI. Again, the commit will be rejected. The output in the corresponding file in /tmp will look like this:

=======================================================================
"1450c75c6ca0760cd2aecd13cc0192e5e3376966 46e68b7d2b66aaade6b279031daa6dd053f7eb8e refs/heads/master"
=======================================================================
=======================================================================
46e68b7d2b66aaade6b279031daa6dd053f7eb8e
=======================================================================

Note how the first git rev-list command doesn't return anything. This command should return any objects that will be reachable after the creation, that aren't currently reachable. I.e. it should contain all the objects that need to be checked. It looks to me as if the hook is somehow fired after the changes have already been processed / are reachable? Could you please investigate this as soon as possible as currently anyone can easily circumvent any hook.

Kind regards, Bartosz