tests: add a safety net to prevent git from operating on the wrong repo

The GIT_CEILING_DIRECTORIES fix in the preceding commit should be
sufficient to prevent test-spawned git processes from discovering the
enclosing repository. However, when that protection was put to the test
by running `rm -rf node_modules/ build/ && npm ci && npm run build &&
npm test` from a worktree, the test commits still ended up on the real
worktree's HEAD for reasons that could not be fully diagnosed. Since the
consequences of this happening are severe (the primary worktree was
marked as `core.bare = true` and test commits, notes refs, and fake
upstream refs all landed on the real repository), an additional layer of
defense is warranted.

Introduce a `validateWorkDir()` function in `lib/git.ts` that is called
from every function that spawns a git process (`git()`, `revParse()`,
`revListCount()`, `gitConfig()`, `gitConfigForEach()`,
`gitCommandExists()`). When the `GIT_WORK_DIR_PREFIX` environment
variable is set, the function verifies that the resolved `workDir` falls
inside the expected directory, and throws otherwise. For `git init
<path>` and `git --git-dir=<path>` invocations, the target path from
the arguments is validated instead of the cwd, since those commands
legitimately operate on a path specified as an argument rather than
through the `workDir` option.

In `testCreateRepo()`, the guard is suspended during the setup phase
(which needs to run `git init` and `git config --global` without a test
repo `workDir`), then activated by setting `GIT_WORK_DIR_PREFIX` to the
`.test-dir/` path before returning. This ensures that all subsequent
`git()` calls in the test process must use a `workDir` inside the test
directory, or fail loudly.

Assisted-by: Claude Opus 4.6
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

lib/git.ts

@@ -1,4 +1,5 @@
 import { ChildProcess } from "child_process";
+import * as path from "path";
 import { exec as GitProcess } from "dugite";
 
 // For convenience, let's add helpers to call Git:
@@ -16,6 +17,18 @@ export interface IGitOptions {
 export const emptyBlobName = "e69de29bb2d1d6434b8b29ae775ad8c2e48c5391";
 export const emptyTreeName = "4b825dc642cb6eb9a060e54bf8d69288fbee4904";
 
+function validateWorkDir(workDir: string): void {
+    const prefix = process.env.GIT_WORK_DIR_PREFIX;
+    if (!prefix) return;
+    const gitDir = process.env.GIT_DIR;
+    if (gitDir) {
+        throw new Error(`GIT_DIR is set to '${gitDir}'; This should not happen in tests`);
+    }
+    if (!path.resolve(workDir).startsWith(prefix)) {
+        throw new Error(`workDir '${workDir}' is not inside '${prefix}'`);
+    }
+}
+
 function trimTrailingNewline(str: string): string {
     return str.replace(/\r?\n$/, "");
 }
@@ -43,6 +56,44 @@ export function git(args: string[], options?: IGitOptions): Promise<string> {
         args = [`--git-dir=${options.workDir}`, ...args];
         workDir = ".";
     }
+    const prefix = process.env.GIT_WORK_DIR_PREFIX;
+    if (prefix) {
+        let cmdStart = 0;
+
+        // --git-dir=<path> must be the very first argument (prepended by the bare-repo handling above)
+        if (args[0]?.startsWith("--git-dir=")) {
+            validateWorkDir(args[0].substring("--git-dir=".length));
+            cmdStart = 1;
+        }
+
+        if (args[cmdStart] === "init") {
+            // Strictly parse: init [--bare] [--initial-branch <name>] <directory>
+            let i = cmdStart + 1;
+            while (i < args.length) {
+                if (args[i] === "--bare") {
+                    i++;
+                } else if (args[i] === "--initial-branch" || args[i] === "-b") {
+                    if (i + 1 >= args.length) throw new Error(`git init: '${args[i]}' requires a value`);
+                    i += 2;
+                } else if (args[i].startsWith("-")) {
+                    throw new Error(`git init: unexpected option '${args[i]}'`);
+                } else {
+                    break;
+                }
+            }
+            if (i >= args.length) {
+                throw new Error(`git init without an explicit target directory is not allowed in tests`);
+            }
+            if (i + 1 < args.length) {
+                throw new Error(`git init: unexpected trailing argument '${args[i + 1]}'`);
+            }
+            validateWorkDir(args[i]);
+        } else if (cmdStart === 0) {
+            // No --git-dir, not init: validate workDir
+            validateWorkDir(workDir);
+        }
+        // If --git-dir was present and subcommand is not init, it was already validated above
+    }
     if (options && options.trace) {
         process.stderr.write(`Called 'git ${args.join(" ")}' in '${workDir}':\n${new Error().stack}\n`);
     }
@@ -158,7 +209,9 @@ export function git(args: string[], options?: IGitOptions): Promise<string> {
  * @returns { string | undefined } the full SHA-1, or undefined
  */
 export async function revParse(argument: string, workDir?: string): Promise<string | undefined> {
-    const result = await GitProcess(["rev-parse", "--verify", "-q", argument], workDir || ".");
+    const dir = workDir || ".";
+    validateWorkDir(dir);
+    const result = await GitProcess(["rev-parse", "--verify", "-q", argument], dir);
     return result.exitCode ? undefined : trimTrailingNewline(result.stdout);
 }
 
@@ -171,6 +224,7 @@ export async function revParse(argument: string, workDir?: string): Promise<stri
  * @returns number the number of commits in the commit range
  */
 export async function revListCount(rangeArgs: string | string[], workDir = "."): Promise<number> {
+    validateWorkDir(workDir);
     const gitArgs: string[] = ["rev-list", "--count"];
     if (typeof rangeArgs === "string") {
         gitArgs.push(rangeArgs);
@@ -196,7 +250,9 @@ export async function commitExists(commit: string, workDir: string): Promise<boo
 }
 
 export async function gitConfig(key: string, workDir?: string): Promise<string | undefined> {
-    const result = await GitProcess(["config", key], workDir || ".");
+    const dir = workDir || ".";
+    validateWorkDir(dir);
+    const result = await GitProcess(["config", key], dir);
     if (result.exitCode !== 0) {
         return undefined;
     }
@@ -208,12 +264,16 @@ export async function gitConfigForEach(
     callbackfn: (value: string) => void,
     workDir?: string,
 ): Promise<void> {
-    const result = await GitProcess(["config", "--get-all", key], workDir || ".");
+    const dir = workDir || ".";
+    validateWorkDir(dir);
+    const result = await GitProcess(["config", "--get-all", key], dir);
     result.stdout.split(/\r?\n/).map(callbackfn);
 }
 
 export async function gitCommandExists(command: string, workDir?: string): Promise<boolean> {
-    const result = await GitProcess([command, "-h"], workDir || ".");
+    const dir = workDir || ".";
+    validateWorkDir(dir);
+    const result = await GitProcess([command, "-h"], dir);
     return result.exitCode === 129;
 }
 

tests/test-lib.ts

@@ -148,6 +148,9 @@ export async function testCreateRepo(name: string, suffix?: string): Promise<Tes
     }
     process.env.GIT_CEILING_DIRECTORIES = ceilings.join(path.delimiter);
 
+    // Suspend the workDir guard during repo setup (git init, git config --global)
+    delete process.env.GIT_WORK_DIR_PREFIX;
+
     // eslint-disable-next-line security/detect-unsafe-regex
     const match = name.match(/^(.*[\\/])?(.*?)(\.test)?\.ts$/);
     if (match) {
@@ -191,6 +194,10 @@ export async function testCreateRepo(name: string, suffix?: string): Promise<Tes
         workDir: dir,
     };
     await git(["commit-tree", "-m", "Test commit", "4b825dc642cb6eb9a060e54bf8d69288fbee4904"], opts);
+
+    // From now on, ensure that all git() calls use a workDir inside tmp
+    process.env.GIT_WORK_DIR_PREFIX = tmp;
+
     const gitOpts: ITestCommitOptions = { workDir: dir };
 
     return new TestRepo(gitOpts);