From b897bf5f37f81d6a9303c4542422cf33d08b7cf0 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 23 Jun 2020 11:24:49 -0400 Subject: fast-export: use xmemdupz() for anonymizing oids Our anonymize_mem() function is careful to take a ptr/len pair to allow storing binary tokens like object ids, as well as partial strings (e.g., just "foo" of "foo/bar"). But it duplicates the hash key using xstrdup()! That means that: - for a partial string, we'd store all bytes up to the NUL, even though we'd never look at anything past "len". This didn't produce wrong behavior, but was wasteful. - for a binary oid that doesn't contain a zero byte, we'd copy garbage bytes off the end of the array (though as long as nothing complained about reading uninitialized bytes, further reads would be limited by "len", and we'd produce the correct results) - for a binary oid that does contain a zero byte, we'd copy _fewer_ bytes than intended into the hashmap struct. When we later try to look up a value, we'd access uninitialized memory and potentially falsely claim that a particular oid is not present. The most common reason to store an oid is an anonymized gitlink, but our test case doesn't have any gitlinks at all. So let's add one whose oid contains a NUL and is present at two different paths. ASan catches the memory error, but even without it we can detect the bug because the oid is not anonymized the same way for both paths. And of course the fix is to copy the correct number of bytes. We don't technically need the appended NUL from xmemdupz(), but it doesn't hurt as an extra protection against anybody treating it like a string (plus a future patch will push us more in that direction). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index 85868162ee..289395a131 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -162,7 +162,7 @@ static const void *anonymize_mem(struct hashmap *map, if (!ret) { ret = xmalloc(sizeof(*ret)); hashmap_entry_init(&ret->hash, key.hash.hash); - ret->orig = xstrdup(orig); + ret->orig = xmemdupz(orig, *len); ret->orig_len = *len; ret->anon = generate(orig, len); ret->anon_len = *len; -- cgit v1.2.3 From 750bb32589ea157bfe522a66f814a0124c97c41b Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 23 Jun 2020 11:24:51 -0400 Subject: fast-export: store anonymized oids as hex strings When fast-export stores anonymized oids, it does so as binary strings. And while the anonymous mapping storage is binary-clean (at least as of the previous commit), this will become awkward when we start exposing more of it to the user. In particular, if we allow a method for retaining token "foo", then users may want to specify a hex oid as such a token. Let's just switch to storing the hex strings. The difference in memory usage is negligible (especially considering how infrequently we'd generally store an oid compared to, say, path components). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index 289395a131..4a3a4c933e 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -387,16 +387,19 @@ static void *generate_fake_oid(const void *old, size_t *len) { static uint32_t counter = 1; /* avoid null oid */ const unsigned hashsz = the_hash_algo->rawsz; - unsigned char *out = xcalloc(hashsz, 1); - put_be32(out + hashsz - 4, counter++); - return out; + struct object_id oid; + char *hex = xmallocz(GIT_MAX_HEXSZ); + + oidclr(&oid); + put_be32(oid.hash + hashsz - 4, counter++); + return oid_to_hex_r(hex, &oid); } -static const struct object_id *anonymize_oid(const struct object_id *oid) +static const char *anonymize_oid(const char *oid_hex) { static struct hashmap objs; - size_t len = the_hash_algo->rawsz; - return anonymize_mem(&objs, generate_fake_oid, oid, &len); + size_t len = strlen(oid_hex); + return anonymize_mem(&objs, generate_fake_oid, oid_hex, &len); } static void show_filemodify(struct diff_queue_struct *q, @@ -455,9 +458,9 @@ static void show_filemodify(struct diff_queue_struct *q, */ if (no_data || S_ISGITLINK(spec->mode)) printf("M %06o %s ", spec->mode, - oid_to_hex(anonymize ? - anonymize_oid(&spec->oid) : - &spec->oid)); + anonymize ? + anonymize_oid(oid_to_hex(&spec->oid)) : + oid_to_hex(&spec->oid)); else { struct object *object = lookup_object(the_repository, &spec->oid); @@ -712,9 +715,10 @@ static void handle_commit(struct commit *commit, struct rev_info *rev, if (mark) printf(":%d\n", mark); else - printf("%s\n", oid_to_hex(anonymize ? - anonymize_oid(&obj->oid) : - &obj->oid)); + printf("%s\n", + anonymize ? + anonymize_oid(oid_to_hex(&obj->oid)) : + oid_to_hex(&obj->oid)); i++; } -- cgit v1.2.3 From 7f4075949686dcd01e364049350ac989c5fc2913 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 23 Jun 2020 11:24:54 -0400 Subject: fast-export: tighten anonymize_mem() interface to handle only strings While the anonymize_mem() interface _can_ store arbitrary byte sequences, none of the callers uses this feature (as of the previous commit). We'd like to keep it that way, as we'll be exposing the string-like nature of the anonymization routines to the user. So let's tighten up the interface a bit: - don't treat "len" as an out-parameter from anonymize_mem(); this ensures callers treat the pointer result as a NUL-terminated string - likewise, don't treat "len" as an out-parameter from generator functions - swap out "void *" for "char *" as appropriate to signal that we don't handle arbitrary memory - rename the function to anonymize_str() This will also open up some optimization opportunities in a future patch. Note that we can't drop the "len" parameter entirely. Some callers do pass in partial strings (e.g., "foo/bar", len=3) to avoid copying, and we need to handle those still. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 53 +++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 27 deletions(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index 4a3a4c933e..d8ea067630 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -145,31 +145,30 @@ static int anonymized_entry_cmp(const void *unused_cmp_data, * the same anonymized string with another. The actual generation * is farmed out to the generate function. */ -static const void *anonymize_mem(struct hashmap *map, - void *(*generate)(const void *, size_t *), - const void *orig, size_t *len) +static const char *anonymize_str(struct hashmap *map, + char *(*generate)(const char *, size_t), + const char *orig, size_t len) { struct anonymized_entry key, *ret; if (!map->cmpfn) hashmap_init(map, anonymized_entry_cmp, NULL, 0); - hashmap_entry_init(&key.hash, memhash(orig, *len)); + hashmap_entry_init(&key.hash, memhash(orig, len)); key.orig = orig; - key.orig_len = *len; + key.orig_len = len; ret = hashmap_get_entry(map, &key, hash, NULL); if (!ret) { ret = xmalloc(sizeof(*ret)); hashmap_entry_init(&ret->hash, key.hash.hash); - ret->orig = xmemdupz(orig, *len); - ret->orig_len = *len; + ret->orig = xmemdupz(orig, len); + ret->orig_len = len; ret->anon = generate(orig, len); - ret->anon_len = *len; + ret->anon_len = strlen(ret->anon); hashmap_put(map, &ret->hash); } - *len = ret->anon_len; return ret->anon; } @@ -181,13 +180,13 @@ static const void *anonymize_mem(struct hashmap *map, */ static void anonymize_path(struct strbuf *out, const char *path, struct hashmap *map, - void *(*generate)(const void *, size_t *)) + char *(*generate)(const char *, size_t)) { while (*path) { const char *end_of_component = strchrnul(path, '/'); size_t len = end_of_component - path; - const char *c = anonymize_mem(map, generate, path, &len); - strbuf_add(out, c, len); + const char *c = anonymize_str(map, generate, path, len); + strbuf_addstr(out, c); path = end_of_component; if (*path) strbuf_addch(out, *path++); @@ -361,12 +360,12 @@ static void print_path_1(const char *path) printf("%s", path); } -static void *anonymize_path_component(const void *path, size_t *len) +static char *anonymize_path_component(const char *path, size_t len) { static int counter; struct strbuf out = STRBUF_INIT; strbuf_addf(&out, "path%d", counter++); - return strbuf_detach(&out, len); + return strbuf_detach(&out, NULL); } static void print_path(const char *path) @@ -383,7 +382,7 @@ static void print_path(const char *path) } } -static void *generate_fake_oid(const void *old, size_t *len) +static char *generate_fake_oid(const char *old, size_t len) { static uint32_t counter = 1; /* avoid null oid */ const unsigned hashsz = the_hash_algo->rawsz; @@ -399,7 +398,7 @@ static const char *anonymize_oid(const char *oid_hex) { static struct hashmap objs; size_t len = strlen(oid_hex); - return anonymize_mem(&objs, generate_fake_oid, oid_hex, &len); + return anonymize_str(&objs, generate_fake_oid, oid_hex, len); } static void show_filemodify(struct diff_queue_struct *q, @@ -496,12 +495,12 @@ static const char *find_encoding(const char *begin, const char *end) return bol; } -static void *anonymize_ref_component(const void *old, size_t *len) +static char *anonymize_ref_component(const char *old, size_t len) { static int counter; struct strbuf out = STRBUF_INIT; strbuf_addf(&out, "ref%d", counter++); - return strbuf_detach(&out, len); + return strbuf_detach(&out, NULL); } static const char *anonymize_refname(const char *refname) @@ -550,13 +549,13 @@ static char *anonymize_commit_message(const char *old) } static struct hashmap idents; -static void *anonymize_ident(const void *old, size_t *len) +static char *anonymize_ident(const char *old, size_t len) { static int counter; struct strbuf out = STRBUF_INIT; strbuf_addf(&out, "User %d ", counter, counter); counter++; - return strbuf_detach(&out, len); + return strbuf_detach(&out, NULL); } /* @@ -591,9 +590,9 @@ static void anonymize_ident_line(const char **beg, const char **end) size_t len; len = split.mail_end - split.name_begin; - ident = anonymize_mem(&idents, anonymize_ident, - split.name_begin, &len); - strbuf_add(out, ident, len); + ident = anonymize_str(&idents, anonymize_ident, + split.name_begin, len); + strbuf_addstr(out, ident); strbuf_addch(out, ' '); strbuf_add(out, split.date_begin, split.tz_end - split.date_begin); } else { @@ -733,12 +732,12 @@ static void handle_commit(struct commit *commit, struct rev_info *rev, show_progress(); } -static void *anonymize_tag(const void *old, size_t *len) +static char *anonymize_tag(const char *old, size_t len) { static int counter; struct strbuf out = STRBUF_INIT; strbuf_addf(&out, "tag message %d", counter++); - return strbuf_detach(&out, len); + return strbuf_detach(&out, NULL); } static void handle_tail(struct object_array *commits, struct rev_info *revs, @@ -808,8 +807,8 @@ static void handle_tag(const char *name, struct tag *tag) name = anonymize_refname(name); if (message) { static struct hashmap tags; - message = anonymize_mem(&tags, anonymize_tag, - message, &message_size); + message = anonymize_str(&tags, anonymize_tag, + message, message_size); } } -- cgit v1.2.3 From a0f65641dfb67ffa94f1e33ded2cbab8d77d53a5 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 23 Jun 2020 11:24:56 -0400 Subject: fast-export: stop storing lengths in anonymized hashmaps Now that the anonymize_str() interface is restricted to NUL-terminated strings, there's no need for us to keep track of the length of each entry in the hashmap. This simplifies the code and saves a bit of memory. Note that we do still need to compare the stored results to partial strings passed in by the callers. We can do that by using hashmap's keydata feature to get the ptr/len pair into the comparison function, and then using strncmp(). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index d8ea067630..5df2ada47d 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -121,23 +121,32 @@ static int has_unshown_parent(struct commit *commit) struct anonymized_entry { struct hashmap_entry hash; const char *orig; - size_t orig_len; const char *anon; - size_t anon_len; +}; + +struct anonymized_entry_key { + struct hashmap_entry hash; + const char *orig; + size_t orig_len; }; static int anonymized_entry_cmp(const void *unused_cmp_data, const struct hashmap_entry *eptr, const struct hashmap_entry *entry_or_key, - const void *unused_keydata) + const void *keydata) { const struct anonymized_entry *a, *b; a = container_of(eptr, const struct anonymized_entry, hash); - b = container_of(entry_or_key, const struct anonymized_entry, hash); + if (keydata) { + const struct anonymized_entry_key *key = keydata; + int equal = !strncmp(a->orig, key->orig, key->orig_len) && + !a->orig[key->orig_len]; + return !equal; + } - return a->orig_len != b->orig_len || - memcmp(a->orig, b->orig, a->orig_len); + b = container_of(entry_or_key, const struct anonymized_entry, hash); + return strcmp(a->orig, b->orig); } /* @@ -149,7 +158,8 @@ static const char *anonymize_str(struct hashmap *map, char *(*generate)(const char *, size_t), const char *orig, size_t len) { - struct anonymized_entry key, *ret; + struct anonymized_entry_key key; + struct anonymized_entry *ret; if (!map->cmpfn) hashmap_init(map, anonymized_entry_cmp, NULL, 0); @@ -157,15 +167,13 @@ static const char *anonymize_str(struct hashmap *map, hashmap_entry_init(&key.hash, memhash(orig, len)); key.orig = orig; key.orig_len = len; - ret = hashmap_get_entry(map, &key, hash, NULL); + ret = hashmap_get_entry(map, &key, hash, &key); if (!ret) { ret = xmalloc(sizeof(*ret)); hashmap_entry_init(&ret->hash, key.hash.hash); ret->orig = xmemdupz(orig, len); - ret->orig_len = len; ret->anon = generate(orig, len); - ret->anon_len = strlen(ret->anon); hashmap_put(map, &ret->hash); } -- cgit v1.2.3 From 55b01456a95ac8d92b04d58b874459f3bf70ad2c Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 23 Jun 2020 11:24:58 -0400 Subject: fast-export: use a flex array to store anonymized entries Now that we're using a separate keydata struct for hash lookups, we have more flexibility in how we allocate anonymized_entry structs. Let's push the "orig" key into a flex member within the struct. That should save us a few bytes of memory per entry (a pointer plus any malloc overhead), and may make lookups a little faster (since it's one less pointer to chase in the comparison function). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index 5df2ada47d..99d4a2b404 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -120,8 +120,8 @@ static int has_unshown_parent(struct commit *commit) struct anonymized_entry { struct hashmap_entry hash; - const char *orig; const char *anon; + const char orig[FLEX_ARRAY]; }; struct anonymized_entry_key { @@ -170,9 +170,8 @@ static const char *anonymize_str(struct hashmap *map, ret = hashmap_get_entry(map, &key, hash, &key); if (!ret) { - ret = xmalloc(sizeof(*ret)); + FLEX_ALLOC_MEM(ret, orig, orig, len); hashmap_entry_init(&ret->hash, key.hash.hash); - ret->orig = xmemdupz(orig, len); ret->anon = generate(orig, len); hashmap_put(map, &ret->hash); } -- cgit v1.2.3 From 6416a865da44ac8e27e5dbcafd6a8b76caf09f5a Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 23 Jun 2020 11:25:01 -0400 Subject: fast-export: move global "idents" anonymize hashmap into function All of the other anonymization functions keep their static mappings inside the function to avoid polluting the global namespace. Let's do the same for "idents", as nobody needs it outside of anonymize_ident_line(). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index 99d4a2b404..16a1563e49 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -555,7 +555,6 @@ static char *anonymize_commit_message(const char *old) return xstrfmt("subject %d\n\nbody\n", counter++); } -static struct hashmap idents; static char *anonymize_ident(const char *old, size_t len) { static int counter; @@ -572,6 +571,7 @@ static char *anonymize_ident(const char *old, size_t len) */ static void anonymize_ident_line(const char **beg, const char **end) { + static struct hashmap idents; static struct strbuf buffers[] = { STRBUF_INIT, STRBUF_INIT }; static unsigned which_buffer; -- cgit v1.2.3 From d5bf91fde4430532eb725425c3ef9827048af6b5 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Tue, 23 Jun 2020 11:25:03 -0400 Subject: fast-export: add a "data" callback parameter to anonymize_str() The anonymize_str() function takes a generator callback, but there's no way to pass extra context to it. Let's add the usual "void *data" parameter to the generator interface and pass it along. This is mildly annoying for existing callers, all of which pass NULL, but is necessary to avoid extra globals in some cases we'll add in a subsequent patch. While we're touching each of these callbacks, we can further observe that none of them use the existing orig/len parameters at all. This makes sense, since the point is for their output to have no discernable basis in the original (my original version had some notion that we might use a one-way function to obfuscate the names, but it was never implemented). So let's drop those extra parameters. If a caller really wants to do something with them, it can pass a struct through the new data parameter. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index 16a1563e49..1cbca5b4b4 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -155,8 +155,9 @@ static int anonymized_entry_cmp(const void *unused_cmp_data, * is farmed out to the generate function. */ static const char *anonymize_str(struct hashmap *map, - char *(*generate)(const char *, size_t), - const char *orig, size_t len) + char *(*generate)(void *), + const char *orig, size_t len, + void *data) { struct anonymized_entry_key key; struct anonymized_entry *ret; @@ -172,7 +173,7 @@ static const char *anonymize_str(struct hashmap *map, if (!ret) { FLEX_ALLOC_MEM(ret, orig, orig, len); hashmap_entry_init(&ret->hash, key.hash.hash); - ret->anon = generate(orig, len); + ret->anon = generate(data); hashmap_put(map, &ret->hash); } @@ -187,12 +188,12 @@ static const char *anonymize_str(struct hashmap *map, */ static void anonymize_path(struct strbuf *out, const char *path, struct hashmap *map, - char *(*generate)(const char *, size_t)) + char *(*generate)(void *)) { while (*path) { const char *end_of_component = strchrnul(path, '/'); size_t len = end_of_component - path; - const char *c = anonymize_str(map, generate, path, len); + const char *c = anonymize_str(map, generate, path, len, NULL); strbuf_addstr(out, c); path = end_of_component; if (*path) @@ -367,7 +368,7 @@ static void print_path_1(const char *path) printf("%s", path); } -static char *anonymize_path_component(const char *path, size_t len) +static char *anonymize_path_component(void *data) { static int counter; struct strbuf out = STRBUF_INIT; @@ -389,7 +390,7 @@ static void print_path(const char *path) } } -static char *generate_fake_oid(const char *old, size_t len) +static char *generate_fake_oid(void *data) { static uint32_t counter = 1; /* avoid null oid */ const unsigned hashsz = the_hash_algo->rawsz; @@ -405,7 +406,7 @@ static const char *anonymize_oid(const char *oid_hex) { static struct hashmap objs; size_t len = strlen(oid_hex); - return anonymize_str(&objs, generate_fake_oid, oid_hex, len); + return anonymize_str(&objs, generate_fake_oid, oid_hex, len, NULL); } static void show_filemodify(struct diff_queue_struct *q, @@ -502,7 +503,7 @@ static const char *find_encoding(const char *begin, const char *end) return bol; } -static char *anonymize_ref_component(const char *old, size_t len) +static char *anonymize_ref_component(void *data) { static int counter; struct strbuf out = STRBUF_INIT; @@ -555,7 +556,7 @@ static char *anonymize_commit_message(const char *old) return xstrfmt("subject %d\n\nbody\n", counter++); } -static char *anonymize_ident(const char *old, size_t len) +static char *anonymize_ident(void *data) { static int counter; struct strbuf out = STRBUF_INIT; @@ -598,7 +599,7 @@ static void anonymize_ident_line(const char **beg, const char **end) len = split.mail_end - split.name_begin; ident = anonymize_str(&idents, anonymize_ident, - split.name_begin, len); + split.name_begin, len, NULL); strbuf_addstr(out, ident); strbuf_addch(out, ' '); strbuf_add(out, split.date_begin, split.tz_end - split.date_begin); @@ -739,7 +740,7 @@ static void handle_commit(struct commit *commit, struct rev_info *rev, show_progress(); } -static char *anonymize_tag(const char *old, size_t len) +static char *anonymize_tag(void *data) { static int counter; struct strbuf out = STRBUF_INIT; @@ -815,7 +816,7 @@ static void handle_tag(const char *name, struct tag *tag) if (message) { static struct hashmap tags; message = anonymize_str(&tags, anonymize_tag, - message, message_size); + message, message_size, NULL); } } -- cgit v1.2.3 From 65b5d9fae7684a282f48295b645c2f9da77c2736 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 25 Jun 2020 15:48:32 -0400 Subject: fast-export: allow seeding the anonymized mapping After you anonymize a repository, it can be hard to find which commits correspond between the original and the result, and thus hard to reproduce commands that triggered bugs in the original. Let's make it possible to seed the anonymization map. This lets users either: - mark names to be retained as-is, if they don't consider them secret (in which case their original commands would just work) - map names to new values, which lets them adapt the reproduction recipe to the new names without revealing the originals The implementation is fairly straight-forward. We already store each anonymized token in a hashmap (so that the same token appearing twice is converted to the same result). We can just introduce a new "seed" hashmap which is consulted first. This does make a few more promises to the user about how we'll anonymize things (e.g., token-splitting pathnames). But it's unlikely that we'd want to change those rules, even if the actual anonymization of a single token changes. And it makes things much easier for the user, who can unblind only a directory name without having to specify each path within it. One alternative to this approach would be to anonymize as we see fit, and then dump the whole refname and pathname mappings to a file. This does work, but it's a bit awkward to use (you have to manually dig the items you care about out of the mapping). Helped-by: Eric Sunshine Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index 1cbca5b4b4..b0b09bca30 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -45,6 +45,7 @@ static struct string_list extra_refs = STRING_LIST_INIT_NODUP; static struct string_list tag_refs = STRING_LIST_INIT_NODUP; static struct refspec refspecs = REFSPEC_INIT_FETCH; static int anonymize; +static struct hashmap anonymized_seeds; static struct revision_sources revision_sources; static int parse_opt_signed_tag_mode(const struct option *opt, @@ -168,8 +169,18 @@ static const char *anonymize_str(struct hashmap *map, hashmap_entry_init(&key.hash, memhash(orig, len)); key.orig = orig; key.orig_len = len; - ret = hashmap_get_entry(map, &key, hash, &key); + /* First check if it's a token the user configured manually... */ + if (anonymized_seeds.cmpfn) + ret = hashmap_get_entry(&anonymized_seeds, &key, hash, &key); + else + ret = NULL; + + /* ...otherwise check if we've already seen it in this context... */ + if (!ret) + ret = hashmap_get_entry(map, &key, hash, &key); + + /* ...and finally generate a new mapping if necessary */ if (!ret) { FLEX_ALLOC_MEM(ret, orig, orig, len); hashmap_entry_init(&ret->hash, key.hash.hash); @@ -1147,6 +1158,37 @@ static void handle_deletes(void) } } +static char *anonymize_seed(void *data) +{ + return xstrdup(data); +} + +static int parse_opt_anonymize_map(const struct option *opt, + const char *arg, int unset) +{ + struct hashmap *map = opt->value; + const char *delim, *value; + size_t keylen; + + BUG_ON_OPT_NEG(unset); + + delim = strchr(arg, ':'); + if (delim) { + keylen = delim - arg; + value = delim + 1; + } else { + keylen = strlen(arg); + value = arg; + } + + if (!keylen || !*value) + return error(_("--anonymize-map token cannot be empty")); + + anonymize_str(map, anonymize_seed, arg, keylen, (void *)value); + + return 0; +} + int cmd_fast_export(int argc, const char **argv, const char *prefix) { struct rev_info revs; @@ -1188,6 +1230,9 @@ int cmd_fast_export(int argc, const char **argv, const char *prefix) OPT_STRING_LIST(0, "refspec", &refspecs_list, N_("refspec"), N_("Apply refspec to exported refs")), OPT_BOOL(0, "anonymize", &anonymize, N_("anonymize output")), + OPT_CALLBACK_F(0, "anonymize-map", &anonymized_seeds, N_("from:to"), + N_("convert to in anonymized output"), + PARSE_OPT_NONEG, parse_opt_anonymize_map), OPT_BOOL(0, "reference-excluded-parents", &reference_excluded_commits, N_("Reference parents which are not in fast-export stream by object id")), OPT_BOOL(0, "show-original-ids", &show_original_ids, @@ -1215,6 +1260,9 @@ int cmd_fast_export(int argc, const char **argv, const char *prefix) if (argc > 1) usage_with_options (fast_export_usage, options); + if (anonymized_seeds.cmpfn && !anonymize) + die(_("--anonymize-map without --anonymize does not make sense")); + if (refspecs_list.nr) { int i; -- cgit v1.2.3 From 8a494955835e3635926d4f6f4607c1ed95b011fc Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 25 Jun 2020 15:48:35 -0400 Subject: fast-export: anonymize "master" refname Running "fast-export --anonymize" will leave "refs/heads/master" untouched in the output, for two reasons: - it helped to have some known reference point between the original and anonymized repository - since it's historically the default branch name, it doesn't leak any information Now that we can ask fast-export to retain particular tokens, we have a much better tool for the first one (because it works for any ref, not just master). For the second, the notion of "default branch name" is likely to become configurable soon, at which point the name _does_ leak information. Let's drop this special case in preparation. Note that we have to adjust the test a bit, since it relied on using the name "master" in the anonymized repos. We could just use --anonymize-map=master to keep the same output, but then we wouldn't know if it works because of our hard-coded master or because of the explicit map. So let's flip the test a bit, and confirm that we anonymize "master", but keep "other" in the output. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 7 ------- 1 file changed, 7 deletions(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index b0b09bca30..c6ecf404d7 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -538,13 +538,6 @@ static const char *anonymize_refname(const char *refname) static struct strbuf anon = STRBUF_INIT; int i; - /* - * We also leave "master" as a special case, since it does not reveal - * anything interesting. - */ - if (!strcmp(refname, "refs/heads/master")) - return refname; - strbuf_reset(&anon); for (i = 0; i < ARRAY_SIZE(prefixes); i++) { if (skip_prefix(refname, prefixes[i], &refname)) { -- cgit v1.2.3 From f39ad38410da554af54966bf74fa0402355852ac Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 25 Jun 2020 15:48:37 -0400 Subject: fast-export: use local array to store anonymized oid Some older versions of gcc complain about this line: builtin/fast-export.c:412:2: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] put_be32(oid.hash + hashsz - 4, counter++); ^ This seems to be a false positive, as there's no type-punning at all here. oid.hash is an array of unsigned char; when we pass it to a function it decays to a pointer to unsigned char. We do take a void pointer in put_be32(), but it's immediately aliased with another pointer to unsigned char (and clearly the compiler is looking inside the inlined put_be32(), since the warning doesn't happen with -O0). This happens on gcc 4.8 and 4.9, but not later versions (I tested gcc 6, 7, 8, and 9). We can work around it by using a local array instead of an object_id struct. This is a little more intimate with the details of object_id, but for whatever reason doesn't seem to trigger the compiler warning. We can revert this patch once we decide that those gcc versions are too old to care about for a warning like this (gcc 4.8 is the default compiler for Ubuntu Trusty, which is out-of-support but not fully end-of-life'd until April 2022). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- builtin/fast-export.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'builtin') diff --git a/builtin/fast-export.c b/builtin/fast-export.c index c6ecf404d7..9f37895d4c 100644 --- a/builtin/fast-export.c +++ b/builtin/fast-export.c @@ -405,12 +405,12 @@ static char *generate_fake_oid(void *data) { static uint32_t counter = 1; /* avoid null oid */ const unsigned hashsz = the_hash_algo->rawsz; - struct object_id oid; + unsigned char out[GIT_MAX_RAWSZ]; char *hex = xmallocz(GIT_MAX_HEXSZ); - oidclr(&oid); - put_be32(oid.hash + hashsz - 4, counter++); - return oid_to_hex_r(hex, &oid); + hashclr(out); + put_be32(out + hashsz - 4, counter++); + return hash_to_hex_algop_r(hex, out, the_hash_algo); } static const char *anonymize_oid(const char *oid_hex) -- cgit v1.2.3