pnpm/fetching/git-fetcher/test/index.ts

/// <reference path="../../../__typings__/index.d.ts"/>
import path from 'node:path'

import { afterAll, beforeEach, expect, jest, test } from '@jest/globals'
import { createCafsStore } from '@pnpm/store.create-cafs-store'
import { StoreIndex } from '@pnpm/store.index'
import { lexCompare } from '@pnpm/util.lex-comparator'
import { temporaryDirectory } from 'tempy'

{
  const originalModule = await import('execa')
  jest.unstable_mockModule('execa', () => {
    return {
      __esModule: true,
      ...originalModule,
      safeExeca: jest.fn(originalModule.safeExeca),
    }
  })
}
{
  const originalModule = await import('@pnpm/logger')
  jest.unstable_mockModule('@pnpm/logger', () => {
    return {
      ...originalModule,
      globalWarn: jest.fn(),
    }
  })
}

const { globalWarn } = await import('@pnpm/logger')
const { safeExeca: execa } = await import('execa')
const { createGitFetcher } = await import('@pnpm/fetching.git-fetcher')

const storeIndexes: StoreIndex[] = []
afterAll(() => {
  for (const si of storeIndexes) si.close()
})

function createStoreIndex (storeDir: string): StoreIndex {
  const si = new StoreIndex(storeDir)
  storeIndexes.push(si)
  return si
}

beforeEach(() => {
  jest.mocked(execa).mockClear()
  jest.mocked(globalWarn).mockClear()
})

test('fetch', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const { filesMap, manifest } = await fetch(
    createCafsStore(storeDir),
    {
      commit: 'c9b30e71d704cd30fa71f2edd1ecc7dcc4985493',
      repo: 'https://github.com/kevva/is-positive.git',
      type: 'git',
    },
    {
      readManifest: true,
      filesIndexFile: path.join(storeDir, 'index.json'),
    }
  )
  expect(filesMap.has('package.json')).toBeTruthy()
  expect(manifest?.name).toBe('is-positive')
})

test('fetch a package from Git sub folder', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const { filesMap } = await fetch(
    createCafsStore(storeDir),
    {
      commit: '2b42a57a945f19f8ffab8ecbd2021fdc2c58ee22',
      repo: 'https://github.com/RexSkz/test-git-subfolder-fetch.git',
      path: '/packages/simple-react-app',
      type: 'git',
    },
    {
      filesIndexFile: path.join(storeDir, 'index.json'),
    }
  )
  expect(filesMap.has('public/index.html')).toBeTruthy()
})

test('prevent directory traversal attack when using Git sub folder', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const repo = 'https://github.com/RexSkz/test-git-subfolder-fetch.git'
  const pkgDir = '../../etc'
  await expect(
    fetch(
      createCafsStore(storeDir),
      {
        commit: '2b42a57a945f19f8ffab8ecbd2021fdc2c58ee22',
        repo,
        path: pkgDir,
        type: 'git',
      },
      {
        filesIndexFile: path.join(storeDir, 'index.json'),
      }
    )
  ).rejects.toThrow(`Failed to prepare git-hosted package fetched from "${repo}": Path "${pkgDir}" should be a sub directory`)
})

test('prevent directory traversal attack when using Git sub folder #2', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const repo = 'https://github.com/RexSkz/test-git-subfolder-fetch.git'
  const pkgDir = 'not/exists'
  await expect(
    fetch(
      createCafsStore(storeDir),
      {
        commit: '2b42a57a945f19f8ffab8ecbd2021fdc2c58ee22',
        repo,
        path: pkgDir,
        type: 'git',
      },
      {
        filesIndexFile: path.join(storeDir, 'index.json'),
      }
    )
  ).rejects.toThrow(`Failed to prepare git-hosted package fetched from "${repo}": Path "${pkgDir}" is not a directory`)
})

test('fetch a package from Git that has a prepare script', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({
    storeIndex: createStoreIndex(storeDir),
  }).git
  const { filesMap } = await fetch(
    createCafsStore(storeDir),
    {
      commit: '8b333f12d5357f4f25a654c305c826294cb073bf',
      repo: 'https://github.com/pnpm/test-git-fetch.git',
      type: 'git',
    },
    {
      allowBuild: (pkgName) => pkgName === 'test-git-fetch',
      filesIndexFile: path.join(storeDir, 'index.json'),
    }
  )
  expect(filesMap.has('dist/index.js')).toBeTruthy()
})

// Test case for https://github.com/pnpm/pnpm/issues/1866
test('fetch a package without a package.json', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const { filesMap } = await fetch(
    createCafsStore(storeDir),
    {
      // a small Deno library with a 'denolib.json' instead of a 'package.json'
      commit: 'aeb6b15f9c9957c8fa56f9731e914c4d8a6d2f2b',
      repo: 'https://github.com/denolib/camelcase.git',
      type: 'git',
    },
    {
      filesIndexFile: path.join(storeDir, 'index.json'),
    }
  )
  expect(filesMap.has('denolib.json')).toBeTruthy()
})

// Covers the regression reported in https://github.com/pnpm/pnpm/issues/4064
test('fetch a big repository', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const { filesMap } = await fetch(createCafsStore(storeDir),
    {
      commit: 'f766801580f10543c24ba8bfa59046a776848097',
      repo: 'https://github.com/pnpm-e2e/drupal-js-build.git',
      type: 'git',
    }, {
      filesIndexFile: path.join(storeDir, 'index.json'),
    })
  expect(filesMap).toBeTruthy()
})

test('still able to shallow fetch for allowed hosts', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ gitShallowHosts: ['github.com'], storeIndex: createStoreIndex(storeDir) }).git
  const resolution = {
    commit: 'c9b30e71d704cd30fa71f2edd1ecc7dcc4985493',
    repo: 'https://github.com/kevva/is-positive.git',
    type: 'git' as const,
  }
  const { filesMap, manifest } = await fetch(createCafsStore(storeDir), resolution, {
    readManifest: true,
    filesIndexFile: path.join(storeDir, 'index.json'),
  })
  const calls = jest.mocked(execa).mock.calls
  const expectedCalls = [
    ['git', [...prefixGitArgs(), 'init']],
    ['git', [...prefixGitArgs(), 'remote', 'add', 'origin', resolution.repo]],
    [
      'git',
      [...prefixGitArgs(), 'fetch', '--depth', '1', 'origin', resolution.commit],
    ],
  ]
  for (let i = 1; i < expectedCalls.length; i++) {
    // Discard final argument as it passes temporary directory
    expect(calls[i].slice(0, -1)).toEqual(expectedCalls[i])
  }
  expect(filesMap.has('package.json')).toBeTruthy()
  expect(manifest?.name).toBe('is-positive')
})

test('fail when preparing a git-hosted package', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({
    storeIndex: createStoreIndex(storeDir),
  }).git
  await expect(
    fetch(createCafsStore(storeDir),
      {
        commit: 'ba58874aae1210a777eb309dd01a9fdacc7e54e7',
        repo: 'https://github.com/pnpm-e2e/prepare-script-fails.git',
        type: 'git',
      }, {
        allowBuild: (pkgName) => pkgName === '@pnpm.e2e/prepare-script-fails',
        filesIndexFile: path.join(storeDir, 'index.json'),
      })
  ).rejects.toThrow('Failed to prepare git-hosted package fetched from "https://github.com/pnpm-e2e/prepare-script-fails.git": @pnpm.e2e/prepare-script-fails@1.0.0 npm-install: `npm install`')
})

test('reject a partial commit before invoking git', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({
    storeIndex: createStoreIndex(storeDir),
  }).git
  await expect(
    fetch(createCafsStore(storeDir),
      {
        commit: 'deadbeef',
        repo: 'https://github.com/pnpm-e2e/simple-pkg.git',
        type: 'git',
      }, {
        filesIndexFile: path.join(storeDir, 'index.json'),
      })
  ).rejects.toThrow('Invalid git commit hash "deadbeef"')
  expect(jest.mocked(execa)).not.toHaveBeenCalled()
})

test('reject a commit value that looks like a git option', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  await expect(
    fetch(createCafsStore(storeDir),
      {
        commit: '--upload-pack=touch /tmp/pwned',
        repo: 'file:///tmp/repo.git',
        type: 'git',
      }, {
        filesIndexFile: path.join(storeDir, 'index.json'),
      })
  ).rejects.toThrow('Invalid git commit hash "--upload-pack=touch /tmp/pwned"')
  expect(jest.mocked(execa)).not.toHaveBeenCalled()
})

test('do not build the package when scripts are ignored', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ ignoreScripts: true, storeIndex: createStoreIndex(storeDir) }).git
  const { filesMap } = await fetch(createCafsStore(storeDir),
    {
      commit: '55416a9c468806a935636c0ad0371a14a64df8c9',
      repo: 'https://github.com/pnpm-e2e/prepare-script-works.git',
      type: 'git',
    }, {
      filesIndexFile: path.join(storeDir, 'index.json'),
    })
  expect(filesMap.has('package.json')).toBeTruthy()
  expect(filesMap.has('prepare.txt')).toBeFalsy()
  expect(globalWarn).toHaveBeenCalledWith('The git-hosted package fetched from "https://github.com/pnpm-e2e/prepare-script-works.git" has to be built but the build scripts were ignored.')
})

test('block git package with prepare script', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const repo = 'https://github.com/pnpm-e2e/prepare-script-works.git'
  await expect(
    fetch(createCafsStore(storeDir),
      {
        commit: '55416a9c468806a935636c0ad0371a14a64df8c9',
        repo,
        type: 'git',
      }, {
        allowBuild: () => false,
        filesIndexFile: path.join(storeDir, 'index.json'),
      })
  ).rejects.toThrow('The git-hosted package "@pnpm.e2e/prepare-script-works@1.0.0" needs to execute build scripts but is not in the "allowBuilds" allowlist')
})

test('allow git package with prepare script', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({
    storeIndex: createStoreIndex(storeDir),
  }).git
  // This should succeed without throwing because the package is in the allowlist
  const { filesMap } = await fetch(createCafsStore(storeDir),
    {
      commit: '55416a9c468806a935636c0ad0371a14a64df8c9',
      repo: 'https://github.com/pnpm-e2e/prepare-script-works.git',
      type: 'git',
    }, {
      allowBuild: (pkgName) => pkgName === '@pnpm.e2e/prepare-script-works',
      filesIndexFile: path.join(storeDir, 'index.json'),
    })
  expect(filesMap.has('package.json')).toBeTruthy()
  // Note: prepare.txt is in .gitignore so it won't be in the files index
  // The fact that no error was thrown proves the prepare script was allowed to run
})

function prefixGitArgs (): string[] {
  return process.platform === 'win32' ? ['-c', 'core.longpaths=true'] : []
}

test('fetch only the included files', async () => {
  const storeDir = temporaryDirectory()
  const fetch = createGitFetcher({ storeIndex: createStoreIndex(storeDir) }).git
  const { filesMap } = await fetch(
    createCafsStore(storeDir),
    {
      commit: '958d6d487217512bb154d02836e9b5b922a600d8',
      repo: 'https://github.com/pnpm-e2e/pkg-with-ignored-files',
      type: 'git',
    },
    {
      filesIndexFile: path.join(storeDir, 'index.json'),
    }
  )
  expect(Array.from(filesMap.keys()).sort(lexCompare)).toStrictEqual([
    'README.md',
    'dist/index.js',
    'package.json',
  ])
})