From 8446f4cddd2a50a62e061da68158b9f8faccaa16 Mon Sep 17 00:00:00 2001
From: Anthony Sottile <asottile@umich.edu>
Date: Fri, 21 Oct 2022 20:13:37 -0700
Subject: [PATCH] fix tests for submodules for CVE-2022-39253

---
 testing/fixtures.py                      |  9 +++++++++
 tests/commands/install_uninstall_test.py |  3 ++-
 tests/conftest.py                        |  3 ++-
 tests/repository_test.py                 | 19 ++++++++++++++++++-
 tests/staged_files_only_test.py          |  5 ++---
 5 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/testing/fixtures.py b/testing/fixtures.py
index 5182a083e..a351d2c9f 100644
--- a/testing/fixtures.py
+++ b/testing/fixtures.py
@@ -146,3 +146,12 @@ def make_consuming_repo(tempdir_factory, repo_source):
     config = make_config_from_repo(path)
     git_path = git_dir(tempdir_factory)
     return add_config_to_repo(git_path, config)
+
+
+def git_submodule_add(repo, dest, *, cwd='.'):
+    cmd_output(
+        'git',
+        '-c', 'protocol.file.allow=always',
+        '-C', cwd,
+        'submodule', 'add', repo, dest,
+    )
diff --git a/tests/commands/install_uninstall_test.py b/tests/commands/install_uninstall_test.py
index ae668ac9f..76b442495 100644
--- a/tests/commands/install_uninstall_test.py
+++ b/tests/commands/install_uninstall_test.py
@@ -20,6 +20,7 @@
 from pre_commit.util import resource_text
 from testing.fixtures import add_config_to_repo
 from testing.fixtures import git_dir
+from testing.fixtures import git_submodule_add
 from testing.fixtures import make_consuming_repo
 from testing.fixtures import remove_config_from_repo
 from testing.fixtures import write_config
@@ -176,7 +177,7 @@ def test_install_pre_commit_and_run_custom_path(tempdir_factory, store):
 def test_install_in_submodule_and_run(tempdir_factory, store):
     src_path = make_consuming_repo(tempdir_factory, 'script_hooks_repo')
     parent_path = git_dir(tempdir_factory)
-    cmd_output('git', 'submodule', 'add', src_path, 'sub', cwd=parent_path)
+    git_submodule_add(src_path, 'sub', cwd=parent_path)
     git_commit(cwd=parent_path)
 
     sub_pth = os.path.join(parent_path, 'sub')
diff --git a/tests/conftest.py b/tests/conftest.py
index 40c0c0500..3175d9b09 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -15,6 +15,7 @@
 from pre_commit.util import cmd_output
 from pre_commit.util import make_executable
 from testing.fixtures import git_dir
+from testing.fixtures import git_submodule_add
 from testing.fixtures import make_consuming_repo
 from testing.fixtures import write_config
 from testing.util import cwd
@@ -90,7 +91,7 @@ def in_conflicting_submodule(tempdir_factory):
     git_dir_1 = git_dir(tempdir_factory)
     git_dir_2 = git_dir(tempdir_factory)
     git_commit(msg=in_conflicting_submodule.__name__, cwd=git_dir_2)
-    cmd_output('git', 'submodule', 'add', git_dir_2, 'sub', cwd=git_dir_1)
+    git_submodule_add(git_dir_2, 'sub', cwd=git_dir_1)
     with cwd(os.path.join(git_dir_1, 'sub')):
         _make_conflict()
         yield
diff --git a/tests/repository_test.py b/tests/repository_test.py
index 0d4cb651b..e9804a375 100644
--- a/tests/repository_test.py
+++ b/tests/repository_test.py
@@ -2,6 +2,7 @@
 
 import os.path
 import shutil
+import subprocess
 from typing import Any
 from unittest import mock
 
@@ -22,11 +23,13 @@
 from pre_commit.languages import ruby
 from pre_commit.languages import rust
 from pre_commit.languages.all import languages
+from pre_commit.parse_shebang import find_executable
 from pre_commit.prefix import Prefix
 from pre_commit.repository import all_hooks
 from pre_commit.repository import install_hook_envs
 from pre_commit.util import cmd_output
 from pre_commit.util import cmd_output_b
+from testing.fixtures import git_submodule_add
 from testing.fixtures import make_config_from_repo
 from testing.fixtures import make_repo
 from testing.fixtures import modify_manifest
@@ -400,6 +403,20 @@ def test_golang_hook_still_works_when_gobin_is_set(tempdir_factory, store):
     assert os.listdir(gobin_dir) == []
 
 
+@pytest.fixture
+def allow_file_submodules():
+    git_exe = find_executable('git')
+
+    def new(cmd, *args, orig=subprocess.Popen, **kwargs):
+        if cmd[0] == git_exe:
+            cmd = (git_exe, '-c', 'protocol.file.allow=always', *cmd[1:])
+        return orig(cmd, *args, **kwargs)
+
+    with mock.patch.object(subprocess, 'Popen', new):
+        yield
+
+
+@pytest.mark.usefixtures('allow_file_submodules')
 def test_golang_with_recursive_submodule(tmpdir, tempdir_factory, store):
     sub_go = '''\
 package sub
@@ -443,7 +460,7 @@ def test_golang_with_recursive_submodule(tmpdir, tempdir_factory, store):
     repo.join('main.go').write(main_go)
     cmd_output('git', '-C', str(repo), 'init', '.')
     cmd_output('git', '-C', str(repo), 'add', '.')
-    cmd_output('git', '-C', str(repo), 'submodule', 'add', str(sub), 'sub')
+    git_submodule_add(sub, 'sub', cwd=repo)
     git.commit(str(repo))
 
     config = make_config_from_repo(str(repo))
diff --git a/tests/staged_files_only_test.py b/tests/staged_files_only_test.py
index a91f31519..e71cfb94e 100644
--- a/tests/staged_files_only_test.py
+++ b/tests/staged_files_only_test.py
@@ -11,6 +11,7 @@
 from pre_commit.util import cmd_output
 from testing.auto_namedtuple import auto_namedtuple
 from testing.fixtures import git_dir
+from testing.fixtures import git_submodule_add
 from testing.util import cwd
 from testing.util import get_resource_path
 from testing.util import git_commit
@@ -206,9 +207,7 @@ def sub_staged(repo_with_commits, tempdir_factory):
         open('bar', 'a+').close()
         cmd_output('git', 'add', 'bar')
         git_commit()
-        cmd_output(
-            'git', 'submodule', 'add', repo_with_commits.path, 'sub',
-        )
+        git_submodule_add(repo_with_commits.path, 'sub')
         checkout_submodule(repo_with_commits.rev1)
         cmd_output('git', 'add', 'sub')
         yield auto_namedtuple(