GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Package: emacs;

Reported by: Daniel Colascione <dancol <at> dancol.org>

Date: Wed, 21 May 2025 19:13:04 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Juri Linkov <juri <at> linkov.net>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 78542 <at> debbugs.gnu.org, casouri <at> gmail.com, dancol <at> dancol.org
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Date: Sun, 08 Jun 2025 20:45:42 +0300

>> The only reason currently tags are used instead of commit hashes is
>> because there is no way to checkout a specific commit with the
>> current implementation when the default value of
>> 'treesit--install-language-grammar-full-clone' is nil.

Here is the current state:

1. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json")

  installs the latest commit 46aa487.

2. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "v0.24.8")

  installs the commit ee35a6e tagged v0.24.8.

3. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "4d770d3")

  fails to check out "4d770d3" with the error:

  git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b 4d770d3
  warning: Could not find remote branch 4d770d3 to clone
  fatal: Remote branch 4d770d3 not found in upstream origin

4. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    nil nil nil nil "4d770d3")

  fails to check out "4d770d3" with the error:

  git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3
  error: pathspec '4d770d3' did not match any file(s) known to git

After (setq treesit--install-language-grammar-full-clone t):

5. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "4d770d3")

  successfully installs the commit "v0.24.8-1-g4d770d3".

When treesit--install-language-grammar-full-clone is nil,
"--depth 1" is added to "git clone".

So we need a Git guru to recommend a command line to use
"git clone" with "--depth 1" to check out a single commit.
This bug report was last modified 8 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.