Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better document env_case test/fixture and cwd #1657

Merged
merged 4 commits into from
Sep 12, 2023

Conversation

EliahKagan
Copy link
Contributor

@EliahKagan EliahKagan commented Sep 12, 2023

This improves how some of the changes in #1650 are documented, expanding comments and a docstring.

I ended up doing this in four commits, but really it would probably be just as clear with two. If you'd like me to rebase this to have just two commits, please let me know.

Identifying the steps in the "env_case" test

This is my main motivation for opening this PR, and most of the change.

I was thinking about how it was not immediately obvious why test_it_avoids_upcasing_unrelated_environment_variable_names (the "env_case" test) works and why it is done in this way.

To improve on this, I wrote comments that divide it into four steps. Two of the steps occur in the test case method, and the others occur in the supporting env_case.py fixture. The comments are in both files.

This only adds and changes comments, but just in case I have locally tested that it does not stop the test from passing, nor from failing when using the version of the code in git/ from just before the merge of #1650.

Non-reentrancy of some context manager objects

I had intended my brief mention of non-reentrancy to distinguish git.util.cwd from contextlib.chdir, which is fully reentrant by having each returned object maintain a stack of directories (but which is not available before Python 3.11). But this was not clear at all--I had nowhere mentioned contextlib.chdir!--and it risked giving the wrong impression that cwd couldn't be called multiple times in nested with-statements.

Furthermore, the newly introduced patch_env function is non-reentrant in exactly the same narrow sense, but because it did not mention this and cwd did, this gave the wrong impression that patch_env was reentrant in this way. (I think patch_env actually doesn't need to document this--really cwd's limitation compared to contextlib.chdir is the only thing important enough to mention.)

I've somewhat clarified this, but maybe further improvements can be made in the future. This can be make clearer with extended example, but I would be very reluctant to bloat the cwd docstring with fully worked examples. If anything, maybe there is a way to say it shorter. Or maybe the reentrancy information should be removed altogether.

This expands and adds comments in
test_it_avoids_upcasing_unrelated_environment_variable_names and
its supporting fixture env_case.py so it is clear exactly what is
being tested and how/why the test works to test it.
To better focus on the key information.
This frames the reentrancy claim in terms of what is similar to and
different from contextlib.chdir (which we would just use, but it is
only available on Python 3.11 and later).
@EliahKagan EliahKagan marked this pull request as ready for review September 12, 2023 04:56
@Byron
Copy link
Member

Byron commented Sep 12, 2023

Thanks again for your tremendous help!

I appreciate these improvements and confirm that they make clearer what's happening. It's a bit sad that we don't have a general-purpose bug-tracker yet that we can refer to in a self-contained fashion (maybe similar to git-appraise), as I also find myself to be hesitant to link to GitHub issues, as doing so might also be beneficial here.

I ended up doing this in four commits, but really it would probably be just as clear with two. If you'd like me to rebase this to have just two commits, please let me know.

I'd never ask that as I believe that any git-commit workflow has its purpose, with different trade-offs. One day I hope there is tooling that makes leveraging this information easier than git log or git blame, but we will be getting there.

This only adds and changes comments, but just in case I have locally tested that it does not stop the test from passing, nor from failing when using the version of the code in git/ from just before the merge of #1650.

That's extremely diligent of you, but even if there would have been a chance for test-failure, it's fine if CI detects it first. It's a tool and ideally, it saves some time as well.

@Byron Byron merged commit 769ca1e into gitpython-developers:main Sep 12, 2023
7 checks passed
@EliahKagan EliahKagan deleted the envcase-doc branch September 12, 2023 22:16
@EliahKagan
Copy link
Contributor Author

EliahKagan commented Sep 13, 2023

That's extremely diligent of you, but even if there would have been a chance for test-failure, it's fine if CI detects it first. It's a tool and ideally, it saves some time as well.

I'm a big fan of discovering test failures through CI only. The issue, here, is that the env_case test is for a regression that only affects native Windows, as elaborated below. So current CI, which uses a Cygwin build of python, would not catch a problem. Otherwise I would not have separately tested manually. However, given that the changes to the env_case test and fixture were just comments, it still probably wasn't necessary for me to test.


#1635 (CVE-2023-40590) and #1646 only affected GitPython on native Windows builds of python.

Although the reported case of #1646 mattered because of how it broke Cygwin make, I believe the python build used must have been native even there, because #1636 only patched os.environ when is_win was true, a behavior #1650 carries forward in its more limited patching. When I wrote the description of #1650, I was not sure about git.compat.is_win on Cygwin python builds. But I have since verified that it is False, which makes sense since it's based on os.name, which is posix rather than nt on Cygwin builds.

When I found that out, I was briefly worried CVE-2023-40590 might not be fully patched. In #1636, I had committed the fix and then the test, and mistakenly assumed--based on my local verification, which was with native Windows, not Cygwin--that CI would have shown a test failure if I had committed and pushed them in the other order. The regression test introduced in #1636 (which is now verifying the modified fix as of #1650) covers both true and false cases of is_win, but it would nonetheless probably not detect the bug with a Cygwin python build even if it were present. This is because, if the current directory were automatically included in a subprocess.Popen path search in Cygwin Python, it would be an inherited behavior from the Windows API and presumably would only be triggered by .exe files. (See python/cpython#91558 (comment).) But we only test with an .exe file when is_win is true.

So if GitPython on Cygwin python builds had suffered from CVE-2023-40590, it still would. Fortunately, I am pretty sure it does not. I have manually tested the subprocess module on a Cygwin build of python, both with and without shell=True (though with shell=True on a Cygwin build, the shell is Cygwin's /bin/sh, so I was pretty sure it wouldn't happen that way). Based on this, the Windows behavior that gave rise to CVE-2023-40590 does not happen in Cygwin python builds. I've also tested this in a MSYS2 build of python--MSYS2 being a major derivative of Cygwin--with the same result.

Note that CVE-2023-40590 did affect MinGW python builds installed by MSYS2 pacman (such as MINGW64 and UCRT64 builds), because unlike MSYS2 builds, those are actually native Windows builds. But because they are native builds, os.name is nt on those, so git.compat.is_win is True, so #1636 and #1650 patch NoDefaultCurrentDirectoryInExePath in as intended.

renovate bot referenced this pull request in allenporter/flux-local Sep 23, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [GitPython](https://togithub.com/gitpython-developers/GitPython) |
`==3.1.36` -> `==3.1.37` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/GitPython/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/GitPython/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/GitPython/3.1.36/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/GitPython/3.1.36/3.1.37?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>gitpython-developers/GitPython (GitPython)</summary>

###
[`v3.1.37`](https://togithub.com/gitpython-developers/GitPython/releases/tag/3.1.37):
- a proper fix CVE-2023-41040

[Compare
Source](https://togithub.com/gitpython-developers/GitPython/compare/3.1.36...3.1.37)

#### What's Changed

- Improve Python version and OS compatibility, fixing deprecations by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1654](https://togithub.com/gitpython-developers/GitPython/pull/1654)
- Better document env_case test/fixture and cwd by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1657](https://togithub.com/gitpython-developers/GitPython/pull/1657)
- Remove spurious executable permissions by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1658](https://togithub.com/gitpython-developers/GitPython/pull/1658)
- Fix up checks in Makefile and make them portable by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1661](https://togithub.com/gitpython-developers/GitPython/pull/1661)
- Fix URLs that were redirecting to another license by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1662](https://togithub.com/gitpython-developers/GitPython/pull/1662)
- Assorted small fixes/improvements to root dir docs by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1663](https://togithub.com/gitpython-developers/GitPython/pull/1663)
- Use venv instead of virtualenv in test_installation by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1664](https://togithub.com/gitpython-developers/GitPython/pull/1664)
- Omit py_modules in setup by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1665](https://togithub.com/gitpython-developers/GitPython/pull/1665)
- Don't track code coverage temporary files by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1666](https://togithub.com/gitpython-developers/GitPython/pull/1666)
- Configure tox by [@&#8203;EliahKagan](https://togithub.com/EliahKagan)
in
[https://github.com/gitpython-developers/GitPython/pull/1667](https://togithub.com/gitpython-developers/GitPython/pull/1667)
- Format tests with black and auto-exclude untracked paths by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1668](https://togithub.com/gitpython-developers/GitPython/pull/1668)
- Upgrade and broaden flake8, fixing style problems and bugs by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1673](https://togithub.com/gitpython-developers/GitPython/pull/1673)
- Fix rollback bug in SymbolicReference.set_reference by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1675](https://togithub.com/gitpython-developers/GitPython/pull/1675)
- Remove `@NoEffect` annotations by
[@&#8203;EliahKagan](https://togithub.com/EliahKagan) in
[https://github.com/gitpython-developers/GitPython/pull/1677](https://togithub.com/gitpython-developers/GitPython/pull/1677)
- Add more checks for the validity of refnames by
[@&#8203;facutuesca](https://togithub.com/facutuesca) in
[https://github.com/gitpython-developers/GitPython/pull/1672](https://togithub.com/gitpython-developers/GitPython/pull/1672)

**Full Changelog**:
gitpython-developers/GitPython@3.1.36...3.1.37

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/allenporter/flux-local).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45Ny4xIiwidXBkYXRlZEluVmVyIjoiMzYuOTcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
otc-zuul bot pushed a commit to opentelekomcloud-infra/eyes_on_docs that referenced this pull request Oct 25, 2023
Bump gitpython from 3.1.35 to 3.1.37

Bumps gitpython from 3.1.35 to 3.1.37.

Release notes
Sourced from gitpython's releases.

3.1.37 - a proper fix CVE-2023-41040
What's Changed

Improve Python version and OS compatibility, fixing deprecations by @​EliahKagan in gitpython-developers/GitPython#1654
Better document env_case test/fixture and cwd by @​EliahKagan in gitpython-developers/GitPython#1657
Remove spurious executable permissions by @​EliahKagan in gitpython-developers/GitPython#1658
Fix up checks in Makefile and make them portable by @​EliahKagan in gitpython-developers/GitPython#1661
Fix URLs that were redirecting to another license by @​EliahKagan in gitpython-developers/GitPython#1662
Assorted small fixes/improvements to root dir docs by @​EliahKagan in gitpython-developers/GitPython#1663
Use venv instead of virtualenv in test_installation by @​EliahKagan in gitpython-developers/GitPython#1664
Omit py_modules in setup by @​EliahKagan in gitpython-developers/GitPython#1665
Don't track code coverage temporary files by @​EliahKagan in gitpython-developers/GitPython#1666
Configure tox by @​EliahKagan in gitpython-developers/GitPython#1667
Format tests with black and auto-exclude untracked paths by @​EliahKagan in gitpython-developers/GitPython#1668
Upgrade and broaden flake8, fixing style problems and bugs by @​EliahKagan in gitpython-developers/GitPython#1673
Fix rollback bug in SymbolicReference.set_reference by @​EliahKagan in gitpython-developers/GitPython#1675
Remove @NoEffect annotations by @​EliahKagan in gitpython-developers/GitPython#1677
Add more checks for the validity of refnames by @​facutuesca in gitpython-developers/GitPython#1672

Full Changelog: gitpython-developers/[email protected]



Commits

b27a89f fix makefile to compare commit hashes only
0bd2890 prepare next release
832b6ee remove unnecessary list comprehension to fix CI
e98f57b Merge pull request #1672 from trail-of-forks/robust-refname-checks
1774f1e Merge pull request #1677 from EliahKagan/no-noeffect
a4701a0 Remove @NoEffect annotations
d40320b Merge pull request #1675 from EliahKagan/rollback
d1c1f31 Merge pull request #1673 from EliahKagan/flake8
e480985 Tweak rollback logic in log.to_file
ff84b26 Refactor try-finally cleanup in git/
Additional commits viewable in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Reviewed-by: Vladimir Vshivkov
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants