finos
diff --git a/‎src/proxy/actions/Action.ts
Lines changed: 1 addition & 0 deletions b/‎src/proxy/actions/Action.ts
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/proxy/chain.ts
Lines changed: 3 additions & 1 deletion b/‎src/proxy/chain.ts
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/proxy/processors/constants.ts
Lines changed: 6 additions & 0 deletions b/‎src/proxy/processors/constants.ts
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/proxy/processors/push-action/checkHiddenCommits.ts
Lines changed: 82 additions & 0 deletions b/‎src/proxy/processors/push-action/checkHiddenCommits.ts
Lines changed: 82 additions & 0 deletions
diff --git a/‎src/proxy/processors/push-action/checkUserPushPermission.ts
Lines changed: 20 additions & 2 deletions b/‎src/proxy/processors/push-action/checkUserPushPermission.ts
Lines changed: 20 additions & 2 deletions
diff --git a/‎src/proxy/processors/push-action/getDiff.ts
Lines changed: 9 additions & 3 deletions b/‎src/proxy/processors/push-action/getDiff.ts
Lines changed: 9 additions & 3 deletions
diff --git a/‎src/proxy/processors/push-action/getMissingData.ts
Lines changed: 76 additions & 0 deletions b/‎src/proxy/processors/push-action/getMissingData.ts
Lines changed: 76 additions & 0 deletions
diff --git a/‎src/proxy/processors/push-action/index.ts
Lines changed: 4 additions & 0 deletions b/‎src/proxy/processors/push-action/index.ts
Lines changed: 4 additions & 0 deletions
@@ -48,6 +48,7 @@ class Action {
   attestation?: string;
   lastStep?: Step;
   proxyGitPath?: string;
+  newIdxFiles?: string[];
 
   /**
    * Create an action.
 
@@ -9,9 +9,11 @@ const pushActionChain: ((req: any, action: Action) => Promise<Action>)[] = [
   proc.push.checkCommitMessages,
   proc.push.checkAuthorEmails,
   proc.push.checkUserPushPermission,
-  proc.push.checkIfWaitingAuth,
   proc.push.pullRemote,
   proc.push.writePack,
+  proc.push.checkHiddenCommits,
+  proc.push.checkIfWaitingAuth,
+  proc.push.getMissingData,
   proc.push.preReceive,
   proc.push.getDiff,
   // run before clear remote
 
@@ -0,0 +1,6 @@
+export const BRANCH_PREFIX = 'refs/heads/';
+export const EMPTY_COMMIT_HASH = '0000000000000000000000000000000000000000';
+export const FLUSH_PACKET = '0000';
+export const PACK_SIGNATURE = 'PACK';
+export const PACKET_SIZE = 4;
+export const GIT_OBJECT_TYPE_COMMIT = 1;
@@ -0,0 +1,82 @@
+import path from 'path';
+import { Action, Step } from '../../actions';
+import { spawnSync } from 'child_process';
+
+const exec = async (req: any, action: Action): Promise<Action> => {
+  const step = new Step('checkHiddenCommits');
+
+  try {
+    const repoPath = `${action.proxyGitPath}/${action.repoName}`;
+
+    const oldOid = action.commitFrom;
+    const newOid = action.commitTo;
+    if (!oldOid || !newOid) {
+      throw new Error('Both action.commitFrom and action.commitTo must be defined');
+    }
+
+    // build introducedCommits set
+    const introducedCommits = new Set<string>();
+    const revRange =
+      oldOid === '0000000000000000000000000000000000000000' ? newOid : `${oldOid}..${newOid}`;
+    const revList = spawnSync('git', ['rev-list', revRange], { cwd: repoPath, encoding: 'utf-8' })
+      .stdout.trim()
+      .split('\n')
+      .filter(Boolean);
+    revList.forEach((sha) => introducedCommits.add(sha));
+    step.log(`Total introduced commits: ${introducedCommits.size}`);
+
+    // build packCommits set
+    const packPath = path.join('.git', 'objects', 'pack');
+    const packCommits = new Set<string>();
+    (action.newIdxFiles || []).forEach((idxFile) => {
+      const idxPath = path.join(packPath, idxFile);
+      const out = spawnSync('git', ['verify-pack', '-v', idxPath], {
+        cwd: repoPath,
+        encoding: 'utf-8',
+      })
+        .stdout.trim()
+        .split('\n');
+      out.forEach((line) => {
+        const [sha, type] = line.split(/\s+/);
+        if (type === 'commit') packCommits.add(sha);
+      });
+    });
+    step.log(`Total commits in the pack: ${packCommits.size}`);
+
+    // subset check
+    const isSubset = [...packCommits].every((sha) => introducedCommits.has(sha));
+    if (!isSubset) {
+      // build detailed lists
+      const [referenced, unreferenced] = [...packCommits].reduce<[string[], string[]]>(
+        ([ref, unref], sha) =>
+          introducedCommits.has(sha) ? [[...ref, sha], unref] : [ref, [...unref, sha]],
+        [[], []],
+      );
+
+      step.log(`Referenced commits: ${referenced.length}`);
+      step.log(`Unreferenced commits: ${unreferenced.length}`);
+
+      step.setError(
+        `Unreferenced commits in pack (${unreferenced.length}): ${unreferenced.join(', ')}.\n` +
+          `This usually happens when a branch was made from a commit that hasn't been approved and pushed to the remote.\n` +
+          `Please get approval on the commits, push them and try again.`,
+      );
+      action.error = true;
+      step.setContent(`Referenced: ${referenced.length}, Unreferenced: ${unreferenced.length}`);
+    } else {
+      // all good, no logging of individual SHAs needed
+      step.log('All pack commits are referenced in the introduced range.');
+      step.setContent(`All ${packCommits.size} pack commits are within introduced commits.`);
+    }
+  } catch (e: any) {
+    step.setError(e.message);
+    throw e;
+  } finally {
+    action.addStep(step);
+  }
+
+  return action;
+};
+
+exec.displayName = 'checkHiddenCommits.exec';
+export { exec };
@@ -5,7 +5,26 @@ import { trimTrailingDotGit } from '../../../db/helper';
 // Execute if the repo is approved
 const exec = async (req: any, action: Action): Promise<Action> => {
   const step = new Step('checkUserPushPermission');
+  const user = action.user;
 
+  if (!user) {
+    console.log('Action has no user set. This may be due to a fast-forward ref update. Deferring to getMissingData action.');
+    return action;
+  }
+
+  return await validateUser(user, action, step);
+};
+
+/**
+ * Helper that validates the user's push permission.
+ * This can be used by other actions that need it. For example, when the user is missing from the commit data,
+ * validation is deferred to getMissingData, but the logic is the same.
+ * @param {string} user The user to validate
+ * @param {Action} action The action object
+ * @param {Step} step The step object
+ * @return {Promise<Action>} The action object
+ */
+const validateUser = async (user: string, action: Action, step: Step): Promise<Action> => { 
   const repoSplit = trimTrailingDotGit(action.repo.toLowerCase()).split('/');
   // we expect there to be exactly one / separating org/repoName
   if (repoSplit.length != 2) {
@@ -16,7 +35,6 @@ const exec = async (req: any, action: Action): Promise<Action> => {
   // pull the 2nd value of the split for repoName
   const repoName = repoSplit[1];
   let isUserAllowed = false;
-  let user = action.user;
 
   // Find the user associated with this Git Account
   const list = await getUsers({ gitAccount: action.user });
@@ -53,4 +71,4 @@ const exec = async (req: any, action: Action): Promise<Action> => {
 
 exec.displayName = 'checkUserPushPermission.exec';
 
-export { exec };
+export { exec, validateUser };
@@ -1,6 +1,8 @@
 import { Action, Step } from '../../actions';
 import simpleGit from 'simple-git';
 
+import { EMPTY_COMMIT_HASH } from '../constants';
+
 const exec = async (req: any, action: Action): Promise<Action> => {
   const step = new Step('diff');
 
@@ -11,11 +13,15 @@ const exec = async (req: any, action: Action): Promise<Action> => {
     let commitFrom = `4b825dc642cb6eb9a060e54bf8d69288fbee4904`;
 
     if (!action.commitData || action.commitData.length === 0) {
-      throw new Error('No commit data found');
+      step.error = true;
+      step.log('No commitData found');
+      step.setError('Your push has been blocked because no commit data was found.');
+      action.addStep(step);
+      return action;
     }
 
-    if (action.commitFrom === '0000000000000000000000000000000000000000') {
-      if (action.commitData[0].parent !== '0000000000000000000000000000000000000000') {
+    if (action.commitFrom === EMPTY_COMMIT_HASH) {
+      if (action.commitData[0].parent !== EMPTY_COMMIT_HASH) {
         commitFrom = `${action.commitData[action.commitData.length - 1].parent}`;
       }
     } else {
 
@@ -0,0 +1,76 @@
+import { Action, Step } from '../../actions';
+import { validateUser } from './checkUserPushPermission';
+import simpleGit from 'simple-git';
+import { EMPTY_COMMIT_HASH } from '../constants';
+
+const isEmptyBranch = async (action: Action) => {
+  const git = simpleGit(`${action.proxyGitPath}/${action.repoName}`);
+
+  if (action.commitFrom === EMPTY_COMMIT_HASH) {
+    try {
+      const type = await git.raw(['cat-file', '-t', action.commitTo || '']);
+      const known = type.trim() === 'commit';
+      if (known) {
+        return true;
+      }
+    } catch (err) {
+      console.log(`Commit ${action.commitTo} not found: ${err}`);
+    }
+  }
+
+  return false;
+};
+
+const exec = async (req: any, action: Action): Promise<Action> => {
+  const step = new Step('getMissingData');
+
+  if (action.commitData && action.commitData.length > 0) {
+    console.log('getMissingData', action);
+    return action;
+  }
+
+  if (await isEmptyBranch(action)) {
+    step.setError('Push blocked: Empty branch. Please make a commit before pushing a new branch.');
+    action.addStep(step);
+    step.error = true;
+    return action;
+  }
+  console.log(`commitData not found, fetching missing commits from git...`);
+
+  try {
+    const path = `${action.proxyGitPath}/${action.repoName}`;
+    const git = simpleGit(path);
+    const log = await git.log({ from: action.commitFrom, to: action.commitTo });
+
+    action.commitData = [...log.all].reverse().map((entry, i, array) => {
+      const parent = i === 0 ? action.commitFrom : array[i - 1].hash;
+      const timestamp = Math.floor(new Date(entry.date).getTime() / 1000).toString();
+      return {
+        message: entry.message || '',
+        committer: entry.author_name || '',
+        tree: entry.hash || '',
+        parent: parent || EMPTY_COMMIT_HASH,
+        author: entry.author_name || '',
+        authorEmail: entry.author_email || '',
+        commitTimestamp: timestamp,
+      }
+    });
+    console.log(`Updated commitData:`, { commitData: action.commitData });
+
+    if (action.commitFrom === EMPTY_COMMIT_HASH) {
+      action.commitFrom = action.commitData[action.commitData.length - 1].parent;
+    }
+
+    const user = action.commitData[action.commitData.length - 1].committer;
+    action.user = user;
+  } catch (e: any) {
+    step.setError(e.toString('utf-8'));
+  } finally {
+    action.addStep(step);
+  }
+  return await validateUser(action.user || '', action, step);
+};
+
+exec.displayName = 'getMissingData.exec';
+
+export { exec };
@@ -5,6 +5,7 @@ import { exec as audit } from './audit';
 import { exec as pullRemote } from './pullRemote';
 import { exec as writePack } from './writePack';
 import { exec as getDiff } from './getDiff';
+import { exec as checkHiddenCommits } from './checkHiddenCommits';
 import { exec as gitleaks } from './gitleaks';
 import { exec as scanDiff } from './scanDiff';
 import { exec as blockForAuth } from './blockForAuth';
@@ -13,6 +14,7 @@ import { exec as checkCommitMessages } from './checkCommitMessages';
 import { exec as checkAuthorEmails } from './checkAuthorEmails';
 import { exec as checkUserPushPermission } from './checkUserPushPermission';
 import { exec as clearBareClone } from './clearBareClone';
+import { exec as getMissingData } from './getMissingData';
 
 export {
   parsePush,
@@ -22,6 +24,7 @@ export {
   pullRemote,
   writePack,
   getDiff,
+  checkHiddenCommits,
   gitleaks,
   scanDiff,
   blockForAuth,
@@ -30,4 +33,5 @@ export {
   checkAuthorEmails,
   checkUserPushPermission,
   clearBareClone,
+  getMissingData,
 };