bitbake: fetch2/git: quote shallow extra ref arguments

BB_GIT_SHALLOW_EXTRA_REFS can include wildcard entries. Matching refs advertised by the remote are later passed to git fetch and update-ref while creating shallow tarballs. Quote the generated command arguments and pass the fetched ref after -- so shell metacharacters and option-like ref names are not interpreted as command syntax or git fetch options. (Bitbake rev: 6d3f8bd4ddc955b49eaa124e0724ea589da30646) Signed-off-by: Anders Heimer <anders.heimer@est.tech> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e9a06f79d9ec767c9d95470be78b006d6fd0d59c) [YC: Only the quote part of the master patch applies. The "--" part does not. This part is handled by bin/git-make-shallow which only pass arguments to git rev-list and rev-parse through arrays] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 07:53:47 +02:00 · 2026-05-21 16:36:30 +02:00
parent 73f77a019a
commit 33d210eb57
2 changed files with 31 additions and 1 deletions
--- a/bitbake/lib/bb/fetch2/git.py
+++ b/bitbake/lib/bb/fetch2/git.py
@@ -602,7 +602,7 @@ class Git(FetchMethod):
        shallow_cmd = [self.make_shallow_path, '-s']
        for b in shallow_branches:
            shallow_cmd.append('-r')
-            shallow_cmd.append(b)
+            shallow_cmd.append(shlex.quote(b))
        shallow_cmd.extend(shallow_revisions)
        runfetchcmd(subprocess.list2cmdline(shallow_cmd), d, workdir=dest)

--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -2206,6 +2206,36 @@ class GitShallowTest(FetcherTest):
        self.assertRefs(['master', 'origin/master', 'v1.0'])
        self.assertRevCount(1)

+    def test_shallow_extra_refs_wildcard_shell_quoted(self):
+        self.add_empty_file('a')
+        marker = os.path.join(self.tempdir, 'ref-command-marker')
+        ref = 'refs/tags/poc;touch${IFS}%s' % marker
+        self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir)
+
+        self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*')
+        self.fetch_shallow()
+
+        self.assertFalse(os.path.exists(marker))
+        self.assertRefs(['master', 'origin/master', ref])
+
+    def test_shallow_extra_refs_wildcard_fetch_options(self):
+        self.add_empty_file('a')
+        marker = os.path.join(self.tempdir, 'ref-option-marker')
+        helper = os.path.join(self.tempdir, 'upload-pack-helper')
+        with open(helper, 'w') as f:
+            f.write('#!/bin/sh\n')
+            f.write('touch "%s"\n' % marker)
+            f.write('exec git-upload-pack "$@"\n')
+        os.chmod(helper, 0o755)
+        ref = 'refs/tags/--upload-pack=%s' % helper
+        self.git(['update-ref', ref, 'HEAD'], cwd=self.srcdir)
+
+        self.d.setVar('BB_GIT_SHALLOW_EXTRA_REFS', 'refs/tags/*')
+        self.fetch_shallow()
+
+        self.assertFalse(os.path.exists(marker))
+        self.assertRefs(['master', 'origin/master', ref])
+
    def test_shallow_missing_extra_refs(self):
        self.add_empty_file('a')
        self.add_empty_file('b')