overcommit 0.28.0 → 0.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 74c5fbc6dd718ba856a0c0ad6255f9e6e0d6f72c
-  data.tar.gz: 9b40e46e88199c43d8c708202b872ea5ce1b52fc
+  metadata.gz: b3062f9af5dd34f661b3a2fe4c57dff0455c58fc
+  data.tar.gz: 2a701f3f869be66540221aae63f3276f829b9d0d
 SHA512:
-  metadata.gz: 278cfa2c64204a0bfe3b9c5e0dfae81396ec1317fadaa1fb4364bf979795c642e47c39c16b2ba64dc2602f1377aeb3073011c67ab091540cc7027e931f3500bc
-  data.tar.gz: b9908d3670f23dcc0c4766da676e44642eb5f211147de22801690c7ad679ba589d9f8b5f14210dc2a6ad65a06fc6ecb82807e2517efafbacf5443a550963d91b
+  metadata.gz: 863155a463f38f3fb09c915a61d7e91e175ebeda1da177076bcdf8fbadcda30ea5908995e227b15c8162bffab6ee0236224655196e03d214411f257c1acf1a39
+  data.tar.gz: 841020568579082d8887466e0b4089759fc36f89f8f498c12fe2eaeb319737a0406bec7c82bdec0646aa49a405b85e025f31c81602d352b54c9af6bfe442cd36

data/config/default.yml

@@ -43,7 +43,7 @@ plugin_directory: '.git-hooks'
 # This is a defense mechanism when working with repositories which can contain
 # untrusted code (e.g. when you fetch a pull request from a third party).
 # See https://github.com/brigade/overcommit#security for more information.
-verify_plugin_signatures: true
+verify_signatures: true
 
 # Hooks that are run against every commit message after a user has written it.
 # These hooks are useful for enforcing policies on commit messages written for a
@@ -322,6 +322,13 @@ PreCommit:
     required_executable: 'grep'
     flags: ['-IHn', "^<<<<<<<[ \t]"]
 
+  NginxTest:
+    enabled: false
+    description: 'Testing nginx configs'
+    required_executable: 'nginx'
+    flags: ['-t']
+    include: '**/nginx.conf'
+
   Pep257:
     enabled: false
     description: 'Analyzing docstrings with pep257'

data/lib/overcommit/cli.rb

@@ -22,8 +22,8 @@ module Overcommit
         install_or_uninstall
       when :template_dir
         print_template_directory_path
-      when :sign_plugins
-        sign_plugins
+      when :sign
+        sign
       when :run_all
         run_all
       end
@@ -95,9 +95,9 @@ module Overcommit
     end
 
     def add_other_options(opts)
-      opts.on('-s', '--sign hook', 'Update plugin signatures for hook', String) do |hook|
-        @options[:action] = :sign_plugins
-        @options[:hook_to_sign] = hook
+      opts.on('-s', '--sign', 'Update hook signatures') do |hook_to_sign|
+        @options[:hook_to_sign] = hook_to_sign if hook_to_sign.is_a?(String)
+        @options[:action] = :sign
       end
 
       opts.on('-t', '--template-dir', 'Print location of template directory') do
@@ -175,14 +175,20 @@ module Overcommit
       end
     end
 
-    def sign_plugins
-      context = Overcommit::HookContext.create(@options[:hook_to_sign],
-                                               config,
-                                               @arguments,
-                                               @input)
-      Overcommit::HookLoader::PluginHookLoader.new(config,
-                                                   context,
-                                                   log).update_signatures
+    def sign
+      if @options[:hook_to_sign]
+        context = Overcommit::HookContext.create(@options[:hook_to_sign],
+                                                 config,
+                                                 @arguments,
+                                                 @input)
+        Overcommit::HookLoader::PluginHookLoader.new(config,
+                                                     context,
+                                                     log).update_signatures
+      else
+        log.log 'Updating signature for configuration file...'
+        config(verify: false).update_signature!
+      end
+
       halt
     end
 
@@ -204,8 +210,8 @@ module Overcommit
     end
 
     # Returns the configuration for this repository.
-    def config
-      @config ||= Overcommit::ConfigurationLoader.new(log).load_repo_config
+    def config(options = {})
+      @config ||= Overcommit::ConfigurationLoader.new(log, options).load_repo_config
     end
   end
 end

data/lib/overcommit/configuration.rb

@@ -1,3 +1,6 @@
+require 'digest'
+require 'json'
+
 module Overcommit
   # Stores configuration for Overcommit and the hooks it runs.
   class Configuration # rubocop:disable ClassLength
@@ -32,10 +35,6 @@ module Overcommit
       File.join(Overcommit::Utils.repo_root, @hash['plugin_directory'] || '.git-hooks')
     end
 
-    def verify_plugin_signatures?
-      @hash['verify_plugin_signatures'] != false
-    end
-
     # Returns configuration for all hooks in each hook type.
     #
     # @return [Hash]
@@ -167,6 +166,63 @@ module Overcommit
       File.exist?(File.join(plugin_directory, hook_type_name, "#{hook_name}.rb"))
     end
 
+    # Return whether the signature for this configuration has changed since it
+    # was last calculated.
+    #
+    # @return [true,false]
+    def signature_changed?
+      signature != stored_signature
+    end
+
+    # Return whether a previous signature has been recorded for this
+    # configuration.
+    #
+    # @return [true,false]
+    def previous_signature?
+      !stored_signature.empty?
+    end
+
+    # Returns whether this configuration should verify itself by checking the
+    # stored configuration for the repo.
+    #
+    # @return [true,false]
+    def verify_signatures?
+      return false if ENV['OVERCOMMIT_NO_VERIFY']
+      return true if @hash['verify_signatures'] != false
+
+      result = Overcommit::Utils.execute(
+        %W[git config --local --get #{verify_signature_config_key}]
+      )
+
+      if result.status == 1 # Key doesn't exist
+        return true
+      elsif result.status != 0
+        raise Overcommit::Exceptions::GitConfigError,
+              "Unable to read from local repo git config: #{result.stderr}"
+      end
+
+      # We don't cast since we want to allow anything to count as "true" except
+      # a literal zero
+      result.stdout.strip != '0'
+    end
+
+    # Update the currently stored signature for this hook.
+    def update_signature!
+      result = Overcommit::Utils.execute(
+        %w[git config --local] + [signature_config_key, signature]
+      )
+
+      verify_signature_value = @hash['verify_signatures'] ? 1 : 0
+      result &&= Overcommit::Utils.execute(
+        %W[git config --local #{verify_signature_config_key} #{verify_signature_value}]
+      )
+
+      unless result.success?
+        raise Overcommit::Exceptions::GitConfigError,
+              "Unable to write to local repo git config: #{result.stderr}"
+      end
+    end
+
     protected
 
     attr_reader :hash
@@ -230,5 +286,41 @@ module Overcommit
         end
       end
     end
+
+    # Returns the unique signature of this configuration.
+    #
+    # @return [String]
+    def signature
+      Digest::SHA256.hexdigest(@hash.to_json)
+    end
+
+    # Returns the stored signature of this repo's Overcommit configuration.
+    #
+    # This is intended to be compared against the current signature of this
+    # configuration object.
+    #
+    # @return [String]
+    def stored_signature
+      result = Overcommit::Utils.execute(
+        %w[git config --local --get] + [signature_config_key]
+      )
+
+      if result.status == 1 # Key doesn't exist
+        return ''
+      elsif result.status != 0
+        raise Overcommit::Exceptions::GitConfigError,
+              "Unable to read from local repo git config: #{result.stderr}"
+      end
+
+      result.stdout.chomp
+    end
+
+    def signature_config_key
+      'overcommit.configuration.signature'
+    end
+
+    def verify_signature_config_key
+      'overcommit.configuration.verifysignatures'
+    end
   end
 end

data/lib/overcommit/configuration_loader.rb

@@ -10,7 +10,7 @@ module Overcommit
       #
       # @return [Overcommit::Configuration]
       def default_configuration
-        @default_config ||= load_from_file(DEFAULT_CONFIG_PATH, default: true)
+        @default_config ||= load_from_file(DEFAULT_CONFIG_PATH, default: true, verify: false)
       end
 
       # Loads configuration from file.
@@ -18,6 +18,7 @@ module Overcommit
       # @param file [String] path to file
       # @param options [Hash]
       # @option default [Boolean] whether this is the default built-in configuration
+      # @option verify [Boolean] whether to verify the signature of the configuration
       # @option logger [Overcommit::Logger]
       # @return [Overcommit::Configuration]
       def load_from_file(file, options = {})
@@ -34,8 +35,13 @@ module Overcommit
 
     # Create a configuration loader which writes warnings/errors to the given
     # {Overcommit::Logger} instance.
-    def initialize(logger)
+    #
+    # @param logger [Overcommit::Logger]
+    # @param options [Hash]
+    # @option verify [Boolean] whether to verify signatures
+    def initialize(logger, options = {})
       @log = logger
+      @options = options
     end
 
     # Loads and returns the configuration for the repository we're running in.
@@ -55,12 +61,32 @@ module Overcommit
     # Loads a configuration, ensuring it extends the default configuration.
     def load_file(file)
       config = self.class.load_from_file(file, default: false, logger: @log)
+      config = self.class.default_configuration.merge(config)
+
+      if @options.fetch(:verify, config.verify_signatures?)
+        verify_signatures(config)
+      end
 
-      self.class.default_configuration.merge(config)
+      config
     rescue => error
       raise Overcommit::Exceptions::ConfigurationError,
             "Unable to load configuration from '#{file}': #{error}",
             error.backtrace
     end
+
+    private
+
+    def verify_signatures(config)
+      if !config.previous_signature?
+        raise Overcommit::Exceptions::ConfigurationSignatureChanged,
+              "No previously recorded signature for configuration file.\n" \
+              'Run `overcommit --sign` if you trust the hooks in this repository.'
+
+      elsif config.signature_changed?
+        raise Overcommit::Exceptions::ConfigurationSignatureChanged,
+              "Signature of configuration file has changed!\n" \
+              "Run `overcommit --sign` once you've verified the configuration changes."
+      end
+    end
   end
 end

data/lib/overcommit/configuration_validator.rb

@@ -15,6 +15,7 @@ module Overcommit
       hash = convert_nils_to_empty_hashes(hash)
       ensure_hook_type_sections_exist(hash)
       check_for_missing_enabled_option(hash) unless @options[:default]
+      check_for_verify_plugin_signatures_option(hash)
 
       hash
     end
@@ -68,5 +69,18 @@ module Overcommit
 
       @log.newline if any_warnings
     end
+
+    # Prints a warning if the `verify_plugin_signatures` option is used instead
+    # of the new `verify_signatures` option.
+    def check_for_verify_plugin_signatures_option(hash)
+      return unless @log
+
+      if hash.key?('verify_plugin_signatures')
+        @log.warning '`verify_plugin_signatures` has been renamed to ' \
+                     '`verify_signatures`. Defaulting to verifying signatures.'
+        @log.warning "See change log at #{REPO_URL}/blob/v0.29.0/CHANGELOG.md for details."
+        @log.newline
+      end
+    end
   end
 end

data/lib/overcommit/exceptions.rb

@@ -2,6 +2,9 @@ module Overcommit::Exceptions
   # Raised when a {Configuration} could not be loaded from a file.
   class ConfigurationError < StandardError; end
 
+  # Raised when the Overcommit configuration file signature has changed.
+  class ConfigurationSignatureChanged < StandardError; end
+
   # Raised when trying to read/write to/from the local repo git config fails.
   class GitConfigError < StandardError; end
 

data/lib/overcommit/git_config.rb

@@ -0,0 +1,12 @@
+module Overcommit
+  # Get configuration options from git
+  module GitConfig
+    module_function
+
+    def comment_character
+      char = `git config --get core.commentchar`.chomp
+      char = '#' if char == ''
+      char
+    end
+  end
+end

data/lib/overcommit/git_repo.rb

@@ -92,7 +92,7 @@ module Overcommit
       refs = options[:refs]
       subcmd = options[:subcmd] || 'diff'
 
-      `git #{subcmd} --name-only -z --diff-filter=ACM --ignore-submodules=all #{flags} #{refs}`.
+      `git #{subcmd} --name-only -z --diff-filter=ACMR --ignore-submodules=all #{flags} #{refs}`.
         split("\0").
         map(&:strip).
         reject(&:empty?).

data/lib/overcommit/hook/base.rb

@@ -153,7 +153,7 @@ module Overcommit::Hook
     private
 
     def applicable_file?(file)
-      includes = Array(@config['include']).map do |glob|
+      includes = Array(@config['include']).flatten.map do |glob|
         Overcommit::Utils.convert_glob_to_absolute(glob)
       end
 
@@ -161,7 +161,7 @@ module Overcommit::Hook
         Overcommit::Utils.matches_path?(glob, file)
       end
 
-      excludes = Array(@config['exclude']).map do |glob|
+      excludes = Array(@config['exclude']).flatten.map do |glob|
         Overcommit::Utils.convert_glob_to_absolute(glob)
       end
 

data/lib/overcommit/hook/pre_commit/jscs.rb

@@ -8,9 +8,10 @@ module Overcommit::Hook::PreCommit
       result = execute(command, args: applicable_files)
       return :pass if result.success?
 
-      if result.status == 1
-        # No configuration was found
-        return :warn, result.stderr.chomp
+      # Exit status 2 = Code style errors; everything else we don't know how to
+      # parse. https://github.com/jscs-dev/node-jscs/wiki/Exit-codes
+      unless result.status == 2
+        return :fail, result.stdout + result.stderr.chomp
       end
 
       # example message:

data/lib/overcommit/hook/pre_commit/nginx_test.rb

@@ -0,0 +1,24 @@
+module Overcommit::Hook::PreCommit
+  # Runs `nginx -t` against any modified Nginx config files.
+  #
+  # @see https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/
+  class NginxTest < Base
+    MESSAGE_REGEX = /^nginx: .+ in (?<file>.+):(?<line>\d+)$/
+
+    def run
+      messages = []
+
+      applicable_files.each do |file|
+        result = execute(command + ['-c', file])
+        next if result.success?
+
+        messages += extract_messages(
+          result.stderr.split("\n").grep(MESSAGE_REGEX),
+          MESSAGE_REGEX
+        )
+      end
+
+      messages
+    end
+  end
+end

data/lib/overcommit/hook/pre_commit/scalastyle.rb

@@ -12,9 +12,10 @@ module Overcommit::Hook::PreCommit
 
     def run
       result = execute(command, args: applicable_files)
-      output = result.stdout.chomp
+      output = result.stdout.chomp + result.stderr.chomp
       messages = output.split("\n").grep(MESSAGE_REGEX)
-      return :pass if result.success? && messages.empty?
+
+      return [:fail, output] unless result.success? || messages.any?
 
       # example message:
       #   error file=/path/to/file.scala message=Error message line=1 column=1

data/lib/overcommit/hook_context/commit_msg.rb

@@ -20,7 +20,11 @@ module Overcommit::HookContext
     def commit_message_lines
       raw_commit_message_lines.
         take_while { |line| !line.start_with?('diff --git') }.
-        reject     { |line| line =~ /^#/ }
+        reject     { |line| line.start_with?(comment_character) }
+    end
+
+    def comment_character
+      @comment_character ||= Overcommit::GitConfig.comment_character
     end
 
     def commit_message_file

data/lib/overcommit/hook_loader/plugin_hook_loader.rb

@@ -5,7 +5,7 @@ module Overcommit::HookLoader
   # is running in.
   class PluginHookLoader < Base
     def load_hooks
-      check_for_modified_plugins if @config.verify_plugin_signatures?
+      check_for_modified_plugins if @config.verify_signatures?
 
       hooks = plugin_paths.map do |plugin_path|
         require plugin_path

data/lib/overcommit/hook_signer.rb

@@ -35,8 +35,7 @@ module Overcommit
           command = Array(hook_config['command'] ||
                           hook_config['required_executable'])
 
-          unless !@config.verify_plugin_signatures? ||
-                 signable_file?(command.first)
+          unless !@config.verify_signatures? || signable_file?(command.first)
             raise Overcommit::Exceptions::InvalidHookDefinition,
                   'Hook must specify a `required_executable` or `command` that ' \
                   'is tracked by git (i.e. is a path relative to the root ' \

data/lib/overcommit/utils.rb

@@ -100,7 +100,7 @@ module Overcommit
 
       # Converts a string containing underscores/hyphens/spaces into CamelCase.
       def camel_case(str)
-        str.split(/_|-| /).map { |part| part.sub(/^\w/) { |c| c.upcase } }.join
+        str.split(/_|-| /).map { |part| part.sub(/^\w/, &:upcase) }.join
       end
 
       # Returns a list of supported hook types (pre-commit, commit-msg, etc.)

data/lib/overcommit/version.rb

@@ -1,4 +1,4 @@
 # Defines the gem version.
 module Overcommit
-  VERSION = '0.28.0'
+  VERSION = '0.29.0'
 end

data/lib/overcommit.rb

@@ -10,6 +10,7 @@ require 'overcommit/configuration_loader'
 require 'overcommit/hook/base'
 require 'overcommit/hook_context/base'
 require 'overcommit/hook_context'
+require 'overcommit/git_config'
 require 'overcommit/git_repo'
 require 'overcommit/hook_signer'
 require 'overcommit/hook_loader/base'

data/template-dir/hooks/commit-msg

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/overcommit-hook

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/post-checkout

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/post-commit

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/post-merge

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/post-rewrite

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/pre-commit

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/pre-push

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

data/template-dir/hooks/pre-rebase

@@ -93,6 +93,10 @@ rescue Overcommit::Exceptions::HookCancelled
 rescue Overcommit::Exceptions::InvalidGitRepo => error
   puts error
   exit 64 # EX_USAGE
+rescue Overcommit::Exceptions::ConfigurationSignatureChanged => error
+  puts error
+  puts "For more information, see #{Overcommit::REPO_URL}#security"
+  exit 1
 rescue Overcommit::Exceptions::InvalidHookSignature
   exit 1
 rescue => error

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: overcommit
 version: !ruby/object:Gem::Version
-  version: 0.28.0
+  version: 0.29.0
 platform: ruby
 authors:
 - Brigade Engineering
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-24 00:00:00.000000000 Z
+date: 2015-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: childprocess
@@ -87,6 +87,7 @@ files:
 - lib/overcommit/configuration_validator.rb
 - lib/overcommit/constants.rb
 - lib/overcommit/exceptions.rb
+- lib/overcommit/git_config.rb
 - lib/overcommit/git_repo.rb
 - lib/overcommit/git_version.rb
 - lib/overcommit/hook/base.rb
@@ -154,6 +155,7 @@ files:
 - lib/overcommit/hook/pre_commit/json_syntax.rb
 - lib/overcommit/hook/pre_commit/local_paths_in_gemfile.rb
 - lib/overcommit/hook/pre_commit/merge_conflicts.rb
+- lib/overcommit/hook/pre_commit/nginx_test.rb
 - lib/overcommit/hook/pre_commit/pep257.rb
 - lib/overcommit/hook/pre_commit/pep8.rb
 - lib/overcommit/hook/pre_commit/puppet_lint.rb
@@ -248,7 +250,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Git hook manager