feat: add check for hidden commits

fabiovincenzi · fabiovincenzi · commit 9c1449f4ec37 · 2025-05-16T16:55:29.000+02:00
diff --git a/src/proxy/chain.ts b/src/proxy/chain.ts
@@ -9,9 +9,10 @@ const pushActionChain: ((req: any, action: Action) => Promise<Action>)[] = [
   proc.push.checkCommitMessages,
   proc.push.checkAuthorEmails,
   proc.push.checkUserPushPermission,
-  proc.push.checkIfWaitingAuth,
   proc.push.pullRemote,
   proc.push.writePack,
+  proc.push.checkHiddenCommits,
+  proc.push.checkIfWaitingAuth,
   proc.push.getMissingData,
   proc.push.preReceive,
   proc.push.getDiff,
@@ -20,7 +21,9 @@ const pushActionChain: ((req: any, action: Action) => Promise<Action>)[] = [
   proc.push.blockForAuth,
 ];
 
-const pullActionChain: ((req: any, action: Action) => Promise<Action>)[] = [proc.push.checkRepoInAuthorisedList];
+const pullActionChain: ((req: any, action: Action) => Promise<Action>)[] = [
+  proc.push.checkRepoInAuthorisedList,
+];
 
 let pluginsInserted = false;
 
@@ -58,7 +61,9 @@ export const executeChain = async (req: any, res: any): Promise<Action> => {
  */
 let chainPluginLoader: PluginLoader;
 
-const getChain = async (action: Action): Promise<((req: any, action: Action) => Promise<Action>)[]> => {
+const getChain = async (
+  action: Action,
+): Promise<((req: any, action: Action) => Promise<Action>)[]> => {
   if (chainPluginLoader === undefined) {
     console.error(
       'Plugin loader was not initialized! This is an application error. Please report it to the GitProxy maintainers. Skipping plugins...',
diff --git a/src/proxy/processors/push-action/checkHiddenCommits.ts b/src/proxy/processors/push-action/checkHiddenCommits.ts
@@ -0,0 +1,85 @@
+import path from 'path';
+import { Action, Step } from '../../actions';
+import { spawnSync } from 'child_process';
+
+const exec = async (req: any, action: Action): Promise<Action> => {
+  const step = new Step('checkHiddenCommits');
+
+  try {
+    const repoPath = `${action.proxyGitPath}/${action.repoName}`;
+    console.log(`repoPath: ${repoPath}`);
+
+    const introducedCommits = new Set<string>();
+
+    action.updatedRefs?.forEach(({ ref, oldOid, newOid }) => {
+      const revRange =
+        oldOid === '0000000000000000000000000000000000000000' ? newOid : `${oldOid}..${newOid}`;
+
+      const result = spawnSync('git', ['rev-list', revRange], {
+        cwd: repoPath,
+        encoding: 'utf-8',
+      });
+
+      result.stdout
+        .trim()
+        .split('\n')
+        .forEach((c) => {
+          if (c) introducedCommits.add(c);
+        });
+    });
+
+    step.log(`Total introduced commits: ${introducedCommits.size}`);
+    step.log(`Introduced commits: ${[...introducedCommits].join(', ')}`);
+
+    const packPath = path.join('.git', 'objects', 'pack');
+
+    const packCommits = new Set<string>();
+
+    (action.newIdxFiles || []).forEach((idxFile) => {
+      const idxPath = path.join(packPath, idxFile);
+      const out = spawnSync('git', ['verify-pack', '-v', idxPath], {
+        cwd: repoPath,
+        encoding: 'utf-8',
+      }).stdout;
+
+      out
+        .trim()
+        .split('\n')
+        .forEach((line) => {
+          const [sha, type] = line.split(/\s+/);
+          if (type === 'commit') packCommits.add(sha);
+        });
+    });
+    step.log(`Commits nel pack: ${packCommits.size}`);
+    console.log('Pack commits:', packCommits);
+    console.log('Introduced commits:', introducedCommits);
+
+    const referenced: string[] = [];
+    const unreferenced: string[] = [];
+    [...packCommits].forEach((sha) => {
+      if (introducedCommits.has(sha)) referenced.push(sha);
+      else unreferenced.push(sha);
+    });
+
+    step.log(`✅ Referenced commits: ${referenced.length}`);
+    step.log(`❌ Unreferenced commits: ${unreferenced.length}`);
+
+    if (unreferenced.length > 0) {
+      step.setError(
+        `Unreferenced commits in pack (${unreferenced.length}): ${unreferenced.join(', ')}`,
+      );
+      action.error = true;
+    }
+    step.setContent(`Referenced: ${referenced.length}, Unreferenced: ${unreferenced.length}`);
+  } catch (e: any) {
+    step.setError(e.message);
+    throw e;
+  } finally {
+    action.addStep(step);
+  }
+
+  return action;
+};
+
+exec.displayName = 'checkHiddenCommits.exec';
+export { exec };
diff --git a/src/proxy/processors/push-action/index.ts b/src/proxy/processors/push-action/index.ts
@@ -5,6 +5,7 @@ import { exec as audit } from './audit';
 import { exec as pullRemote } from './pullRemote';
 import { exec as writePack } from './writePack';
 import { exec as getDiff } from './getDiff';
+import { exec as checkHiddenCommits } from './checkHiddenCommits';
 import { exec as scanDiff } from './scanDiff';
 import { exec as blockForAuth } from './blockForAuth';
 import { exec as checkIfWaitingAuth } from './checkIfWaitingAuth';
@@ -22,6 +23,7 @@ export {
   pullRemote,
   writePack,
   getDiff,
+  checkHiddenCommits,
   scanDiff,
   blockForAuth,
   checkIfWaitingAuth,
diff --git a/src/proxy/processors/push-action/parsePush.ts b/src/proxy/processors/push-action/parsePush.ts
@@ -31,11 +31,17 @@ async function exec(req: any, action: Action): Promise<Action> {
       return action;
     }
 
-    const parts = refUpdates[0].split(' ');
-    const [oldCommit, newCommit, ref] = parts;
+    const cleanedUpdates = refUpdates.map((line) => {
+      const [oldOid, newOid, refWithNull] = line.split(' ');
+      const ref = refWithNull.replace(/\0.*/, '').trim();
+      return { oldOid, newOid, ref };
+    });
 
-    action.branch = ref.replace(/\0.*/, '').trim();
-    action.setCommit(oldCommit, newCommit);
+    action.updatedRefs = cleanedUpdates;
+
+    const { oldOid, newOid, ref } = cleanedUpdates[0];
+    action.branch = ref;
+    action.setCommit(oldOid, newOid);
 
     // Check if the offset is valid and if there's data after it
     if (packDataOffset >= req.body.length) {
