GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Package: emacs;

Reported by: Daniel Colascione <dancol <at> dancol.org>

Date: Wed, 21 May 2025 19:13:04 UTC

Severity: normal

Fixed in version 31.0.50

Done: Juri Linkov <juri <at> linkov.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Juri Linkov <juri <at> linkov.net>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: Yuan Fu <casouri <at> gmail.com>, 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz <at> gnu.org>
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Date: Thu, 19 Jun 2025 20:06:51 +0300

>>>> When treesit--install-language-grammar-full-clone is nil,
>>>> "--depth 1" is added to "git clone".
>>>> 
>>>> So we need a Git guru to recommend a command line to use
>>>> "git clone" with "--depth 1" to check out a single commit.
>>>
>>> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,
>>>
>>> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
>>> cd tree-sitter-json
>>> git checkout 4d770d3
>>> git fetch --depth=1
>>
>> This still keeps full history.
>
> There's a difference between full history and all blobs for all
> revisions in this history.  You can also use --shallow-since during the
> clone with a date to further limit history.  --shallow-exclude would
> probably work even better, since you wouldn't need a date, but it's
> broken for me somehow, at least with the repository above.
> But --shallow-since works.

I can't find what value to provide for --shallow-since.
So let's just use a blobless full clone:

diff --git a/lisp/treesit.el b/lisp/treesit.el
index 353e991ec20..5d03f0cf45e 100644
--- a/lisp/treesit.el
+++ b/lisp/treesit.el
@@ -5238,7 +5238,13 @@ treesit--install-language-grammar-1
           (if url-is-dir
               (when revision
                 (treesit--git-checkout-branch workdir revision))
-            (treesit--git-clone-repo url revision workdir))
+            (if commit
+                ;; Force blobless full clone to be able later
+                ;; to checkout a commit (bug#78542).
+                (let ((treesit--install-language-grammar-blobless t)
+                      (treesit--install-language-grammar-full-clone t))
+                  (treesit--git-clone-repo url revision workdir))
+              (treesit--git-clone-repo url revision workdir)))
           (when commit
             (treesit--git-checkout-branch workdir commit))
           (setq version (treesit--language-git-revision workdir))
This bug report was last modified 24 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.