Skip to content

Do not put directories to a list of hooks to invoke

Problem description

Directories on Linux, along with files, can have executable flag:

  • Execute permission on files means the right to execute them.
  • For directories, execute permission allows you to enter the directory.

Obviously directories can not be executed but it is tried to be done. If a directory is created at the following location /opt/gitlab/embedded/service/gitlab-shell/hooks/pre-receive.d it is tried to be executed, consequences are the following:

$ git push -u origin master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Writing objects: 100% (3/3), 260 bytes | 260.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/lib/gitlab_custom_hook.rb:44:in `spawn': Permission denied - /opt/gitlab/embedded/service/gitlab-shell/hooks/pre-receive.d/temp (Errno::EACCES)
remote:         from /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/lib/gitlab_custom_hook.rb:44:in `call_receive_hook'
remote:         from /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/lib/gitlab_custom_hook.rb:17:in `block (2 levels) in pre_receive'
remote:         from /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/lib/gitlab_custom_hook.rb:16:in `all?'
remote:         from /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/lib/gitlab_custom_hook.rb:16:in `block in pre_receive'
remote:         from /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/lib/gitlab_metrics.rb:50:in `measure'
remote:         from /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/lib/gitlab_custom_hook.rb:15:in `pre_receive'
remote:         from /opt/gitlab/embedded/service/gitaly-ruby/gitlab-shell/hooks/pre-receive:29:in `<main>'
To http://localhost/root/test.git
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'http://localhost/root/test.git'

Proposal

To avoid such situations it is proposed to check whether an item is a file or not before putting it to a list of hooks to invoke.

Edited by GitLab Release Tools Bot

Merge request reports

Loading