storage: filesystem, Avoid overwriting loose obj files. Fixes #55

pjbgf · pjbgf · commit 5290e521c8cf · 2026-02-25T11:15:32.000Z
Loose object files are content-addressable and imutable. They should be created on demand and deleted on repacking. However, they should not be overwritten - assuming the initial file isn't corrupted. The previous lack of validation meant those files were being overwritten when in fact they could just be ignored. In Linux, this was a non-issue, however, in Windows this operation led to Access Denied errors. Some additional moving parts of this fix: - [go-billy](go-git/go-billy#187): Align behaviour supporting dir.NewObject(): - Add support for Chmod in polyfill so that ChrootOS is able to chmod files. - Ensure temporary directories are created for BoundOS to avoid errors when trying to create the temporary file used for loose files. - This PR: - Ensure that in Windows, packed and loose object files are created as read-only, which in this case means setting the flag windows.FILE_ATTRIBUTE_READONLY via x/sys/windows. - Skip renaming the temporary file into the existing loose object, instead simply delete the temporary file. Relates to: - Southclaws/sampctl#422 - git-bug/git-bug#1142 - entireio/cli#455 Signed-off-by: Paulo Gomes <pjbgf@linux.com>
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/emirpasic/gods v1.18.1
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376
-	github.com/go-git/go-billy/v5 v5.7.0
+	github.com/go-git/go-billy/v5 v5.8.0
 	github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8
 	github.com/google/go-cmp v0.7.0
diff --git a/go.sum b/go.sum
@@ -25,8 +25,8 @@ github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.7.0 h1:83lBUJhGWhYp0ngzCMSgllhUSuoHP1iEWYjsPl9nwqM=
-github.com/go-git/go-billy/v5 v5.7.0/go.mod h1:/1IUejTKH8xipsAcdfcSAlUlo2J7lkYV8GTKxAT/L3E=
+github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
+github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
diff --git a/storage/filesystem/dotgit/dotgit_test.go b/storage/filesystem/dotgit/dotgit_test.go
@@ -18,6 +18,7 @@ import (
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/storage"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	. "gopkg.in/check.v1"
 )
 
@@ -1094,3 +1095,61 @@ func (s *SuiteDotGit) TestSetPackedRef(c *C) {
 	c.Assert(err, IsNil)
 	c.Assert(looseCount, Equals, 1)
 }
+
+func TestIssue55(t *testing.T) {
+	t.Parallel()
+
+	writeObject := func(fs billy.Filesystem) {
+		t.Helper()
+
+		dir := New(fs)
+		err := dir.Initialize()
+		require.NoError(t, err)
+
+		w, err := dir.NewObject()
+		require.NoError(t, err)
+
+		err = w.WriteHeader(plumbing.BlobObject, 14)
+		require.NoError(t, err)
+		n, err := w.Write([]byte("this is a test"))
+		require.NoError(t, err)
+		assert.Equal(t, 14, n)
+
+		assert.Equal(t, "a8a940627d132695a9769df883f85992f0ff4a43", w.Hash().String())
+
+		err = w.Close()
+		require.NoError(t, err)
+	}
+
+	for _, tc := range []struct {
+		name string
+		fs   billy.Filesystem
+	}{
+		{"BoundOS", osfs.New(t.TempDir(), osfs.WithBoundOS())},
+		{"ChrootOS", osfs.New(t.TempDir(), osfs.WithChrootOS())},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			path := filepath.Join("objects", "a8", "a940627d132695a9769df883f85992f0ff4a43")
+
+			writeObject(tc.fs)
+			i, err := tc.fs.Stat(path)
+			require.NoError(t, err)
+			assert.Equal(t, int64(34), i.Size())
+
+			ro, err := isReadOnly(tc.fs, path)
+			require.NoError(t, err)
+			assert.True(t, ro, "file %q is not read-only", path)
+
+			// Recreate the same object.
+			writeObject(tc.fs)
+			i, err = tc.fs.Stat(path)
+			require.NoError(t, err)
+			assert.Equal(t, int64(34), i.Size())
+
+			ro, err = isReadOnly(tc.fs, path)
+			require.NoError(t, err)
+			assert.True(t, ro, "file %q is not read-only", path)
+		})
+	}
+}
diff --git a/storage/filesystem/dotgit/writers.go b/storage/filesystem/dotgit/writers.go
@@ -3,15 +3,14 @@ package dotgit
 import (
 	"fmt"
 	"io"
-	"runtime"
+	"os"
 	"sync/atomic"
 
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/format/idxfile"
 	"github.com/go-git/go-git/v5/plumbing/format/objfile"
 	"github.com/go-git/go-git/v5/plumbing/format/packfile"
 	"github.com/go-git/go-git/v5/plumbing/hash"
-	"github.com/go-git/go-git/v5/utils/trace"
 
 	"github.com/go-git/go-billy/v5"
 )
@@ -291,22 +290,17 @@ func (w *ObjectWriter) save() error {
 	hex := w.Hash().String()
 	file := w.fs.Join(objectsPath, hex[0:2], hex[2:hash.HexSize])
 
+	// Loose objects are content addressable, if they already exist
+	// we can safely delete the temporary file and short-circuit the
+	// operation.
+	if _, err := w.fs.Stat(file); err == nil || os.IsExist(err) {
+		return w.fs.Remove(w.f.Name())
+	}
+
 	if err := w.fs.Rename(w.f.Name(), file); err != nil {
 		return err
 	}
 	fixPermissions(w.fs, file)
 
 	return nil
 }
-
-func fixPermissions(fs billy.Filesystem, path string) {
-	if runtime.GOOS == "windows" {
-		return
-	}
-
-	if chmodFS, ok := fs.(billy.Chmod); ok {
-		if err := chmodFS.Chmod(path, 0o444); err != nil {
-			trace.General.Printf("failed to chmod %s: %v", path, err)
-		}
-	}
-}
diff --git a/storage/filesystem/dotgit/writers_test.go b/storage/filesystem/dotgit/writers_test.go
@@ -4,9 +4,11 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strconv"
 	"testing"
 
+	"github.com/go-git/go-billy/v5"
 	"github.com/go-git/go-billy/v5/osfs"
 	"github.com/go-git/go-billy/v5/util"
 	"github.com/go-git/go-git/v5/plumbing"
@@ -142,51 +144,74 @@ func (s *SuiteDotGit) TestPackWriterUnusedNotify(c *C) {
 func TestPackWriterPermissions(t *testing.T) {
 	t.Parallel()
 
-	f := fixtures.Basic().One()
+	for _, tc := range []struct {
+		name string
+		fs   billy.Filesystem
+	}{
+		{"BoundOS", osfs.New(t.TempDir(), osfs.WithBoundOS())},
+		{"ChrootOS", osfs.New(t.TempDir(), osfs.WithChrootOS())},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 
-	fs := osfs.New(t.TempDir(), osfs.WithBoundOS())
-	dot := New(fs)
-	require.NoError(t, dot.Initialize())
+			f := fixtures.Basic().One()
 
-	w, err := dot.NewObjectPack()
-	require.NoError(t, err)
+			dot := New(tc.fs)
+			require.NoError(t, dot.Initialize())
 
-	_, err = io.Copy(w, f.Packfile())
-	require.NoError(t, err)
+			w, err := dot.NewObjectPack()
+			require.NoError(t, err)
 
-	require.NoError(t, w.Close())
+			_, err = io.Copy(w, f.Packfile())
+			require.NoError(t, err)
 
-	pfPath := fmt.Sprintf("objects/pack/pack-%s.pack", f.PackfileHash)
-	idxPath := fmt.Sprintf("objects/pack/pack-%s.idx", f.PackfileHash)
+			require.NoError(t, w.Close())
 
-	stat, err := fs.Stat(pfPath)
-	require.NoError(t, err)
-	assert.Equal(t, os.FileMode(0o444), stat.Mode().Perm())
+			pfPath := filepath.Join("objects", "pack", fmt.Sprintf("pack-%s.pack", f.PackfileHash))
+			idxPath := filepath.Join("objects", "pack", fmt.Sprintf("pack-%s.idx", f.PackfileHash))
 
-	stat, err = fs.Stat(idxPath)
-	require.NoError(t, err)
-	assert.Equal(t, os.FileMode(0o444), stat.Mode().Perm())
+			ro, err := isReadOnly(tc.fs, pfPath)
+			require.NoError(t, err)
+			assert.True(t, ro, "file %q is not read-only", pfPath)
+
+			ro, err = isReadOnly(tc.fs, idxPath)
+			require.NoError(t, err)
+			assert.True(t, ro, "file %q is not read-only", idxPath)
+		})
+	}
 }
 
 func TestObjectWriterPermissions(t *testing.T) {
 	t.Parallel()
 
-	fs := osfs.New(t.TempDir(), osfs.WithBoundOS())
-	dot := New(fs)
-	require.NoError(t, dot.Initialize())
+	for _, tc := range []struct {
+		name string
+		fs   billy.Filesystem
+	}{
+		{"BoundOS", osfs.New(t.TempDir(), osfs.WithBoundOS())},
+		{"ChrootOS", osfs.New(t.TempDir(), osfs.WithChrootOS())},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			dot := New(tc.fs)
+			require.NoError(t, dot.Initialize())
 
-	w, err := dot.NewObject()
-	require.NoError(t, err)
+			w, err := dot.NewObject()
+			require.NoError(t, err)
 
-	err = w.WriteHeader(plumbing.BlobObject, 14)
-	require.NoError(t, err)
+			err = w.WriteHeader(plumbing.BlobObject, 14)
+			require.NoError(t, err)
 
-	_, err = w.Write([]byte("this is a test"))
-	require.NoError(t, err)
+			_, err = w.Write([]byte("this is a test"))
+			require.NoError(t, err)
 
-	require.NoError(t, w.Close())
+			require.NoError(t, w.Close())
 
-	stat, err := fs.Stat("objects/a8/a940627d132695a9769df883f85992f0ff4a43")
-	require.NoError(t, err)
-	assert.Equal(t, os.FileMode(0o444), stat.Mode().Perm())
+			path := filepath.Join("objects", "a8", "a940627d132695a9769df883f85992f0ff4a43")
+			ro, err := isReadOnly(tc.fs, path)
+			require.NoError(t, err)
+			assert.True(t, ro, "file %q is not read-only", path)
+		})
+	}
 }
diff --git a/storage/filesystem/dotgit/writers_unix.go b/storage/filesystem/dotgit/writers_unix.go
@@ -0,0 +1,29 @@
+//go:build !windows
+
+package dotgit
+
+import (
+	"github.com/go-git/go-billy/v5"
+	"github.com/go-git/go-git/v5/utils/trace"
+)
+
+func fixPermissions(fs billy.Filesystem, path string) {
+	if chmodFS, ok := fs.(billy.Chmod); ok {
+		if err := chmodFS.Chmod(path, 0o444); err != nil {
+			trace.General.Printf("failed to chmod %s: %v", path, err)
+		}
+	}
+}
+
+func isReadOnly(fs billy.Filesystem, path string) (bool, error) {
+	fi, err := fs.Stat(path)
+	if err != nil {
+		return false, err
+	}
+
+	if fi.Mode().Perm() == 0o444 {
+		return true, nil
+	}
+
+	return false, nil
+}
diff --git a/storage/filesystem/dotgit/writers_windows.go b/storage/filesystem/dotgit/writers_windows.go
@@ -0,0 +1,58 @@
+//go:build windows
+
+package dotgit
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/go-git/go-billy/v5"
+	"github.com/go-git/go-git/v5/utils/trace"
+	"golang.org/x/sys/windows"
+)
+
+func fixPermissions(fs billy.Filesystem, path string) {
+	fullpath := filepath.Join(fs.Root(), path)
+	p, err := windows.UTF16PtrFromString(fullpath)
+	if err != nil {
+		trace.General.Printf("failed to chmod %s: %v", fullpath, err)
+		return
+	}
+
+	attrs, err := windows.GetFileAttributes(p)
+	if err != nil {
+		trace.General.Printf("failed to chmod %s: %v", fullpath, err)
+		return
+	}
+
+	if attrs&windows.FILE_ATTRIBUTE_READONLY != 0 {
+		return
+	}
+
+	err = windows.SetFileAttributes(p,
+		attrs|windows.FILE_ATTRIBUTE_READONLY,
+	)
+
+	if err != nil {
+		trace.General.Printf("failed to chmod %s: %v", fullpath, err)
+	}
+}
+
+func isReadOnly(fs billy.Filesystem, path string) (bool, error) {
+	fullpath := filepath.Join(fs.Root(), path)
+	p, err := windows.UTF16PtrFromString(fullpath)
+	if err != nil {
+		return false, fmt.Errorf("%w: %q", err, fullpath)
+	}
+
+	attrs, err := windows.GetFileAttributes(p)
+	if err != nil {
+		return false, fmt.Errorf("%w: %q", err, fullpath)
+	}
+
+	if attrs&windows.FILE_ATTRIBUTE_READONLY != 0 {
+		return true, nil
+	}
+
+	return false, nil
+}
