Where does this commit come from?

Question

Where does this commit come from?

FatalReadError opened this issue 4 years ago · comments

FatalReadError commented 4 years ago

a21ea0b

Tom Bevan · Answer 1 · Thu Jul 02 2020 21:22:00 GMT+0800 (China Standard Time)

Sorry not sure what you mean. That commit is from an unmerged pull request from another repo

FatalReadError · Answer 2 · Thu Jul 02 2020 21:33:23 GMT+0800 (China Standard Time)

It is from this repo, r3labs/sse; that's why it begins with https://github.com/r3labs/sse/commit/

The only thing that this commit does is change where the files will be pulled from.

FatalReadError · Answer 3 · Thu Jul 02 2020 21:40:00 GMT+0800 (China Standard Time)

Also, I am not watching that repo, but watching only the r3labs one, but this came through in my notifications. I don't receive commit messages from other forks until they are made to the watched repo.

Looking at the other repo, the changes so far seem benign, but that can change... but how did this occur?

Tom Bevan · Answer 4 · Fri Jul 03 2020 20:46:31 GMT+0800 (China Standard Time)

As far as i'm aware, when a github pull request gets opened, a branch is created on the target repo.

If you git ls-remote, you'll see commit ID's for all pull requests that have been opened so i'm not sure if this is an attack per-se.

641a49cc7d4a4540a615b0633564953dd004c4ea	refs/pull/69/head
df12d65c60e94508b4e797a12f494572ff32acd2	refs/pull/7/head
c3fa507ef0e211cb483bcd420a1d08f24e6c5f4c	refs/pull/74/head
c4a757f15117d1816b2a893d5fc38a440c02d8ce	refs/pull/77/head
a21ea0b822f57bd2725eca14dc75651feced107c	refs/pull/78/head
0203be53760f19d4d3d8437f68932133fade45c2	refs/pull/78/merge

The pull request actually includes other changes and its reasonably normal for someone to update the go modules file in their fork and forget to remove that from the PR. However, it won't be merged until the changes to the readme and go.mod has been removed.

I will try look into github's how pull requests work a bit further

FatalReadError · Answer 5 · Fri Jul 03 2020 21:59:20 GMT+0800 (China Standard Time)

The pull request actually includes other changes and its reasonably normal for someone to update the go modules file in their fork and forget to remove that from the PR. However, it won't be merged until the changes to the readme and go.mod has been removed.

I agree, and that's good to know. And I wasn't able to find where that commit actually came from, or what it was committed to, but it originated from this repo. I wonder if we're seeing some new and subtle attack. It's also interesting that the committer hasn't dropped in on this issue to explain what we're seeing.

To your point, there doesn't seem to be any open or closed pull request referencing this commit. I just created a new one for fun and my pull request #80 says: "Add more commits by pushing to the patch-1 branch on FatalReadError/sse." I don't think it created a branch, either: https://github.com/r3labs/sse/branches

The above commit says on its commit page, "This commit does not belong to any branch on this repository. "

When I pull the repo and run git branch --contains a21ea0b822f57bd2725eca14dc75651feced107c (there's currently only one branch: master), it returns error: no such commit. And yet, there it is: a commit to the github repo itself.

I'm at the limit of my git and github knowledge. Perhaps someone with more git expertise can help out and tell me that I'm imagining things.

Tom Bevan · Answer 6 · Fri Jul 03 2020 22:29:45 GMT+0800 (China Standard Time)

@FatalReadError Thanks for opening that PR to check. I can actually see your branch when I git ls-remote, but not with git branch -a --contains. I think we are unable to see it under r3labs/sse/branches because its a reference to a branch, rather than an actual branch on the repo. My git expertise isn't too great either, but that seems to be the case.

For instance, I can check out your pull request by doing git fetch origin pull/80/head:testbranch and then git checkout testbranch locally.

The origin of that commit comes from:
#78

more specifically:
https://github.com/r3labs/sse/pull/78/commits/a21ea0b822f57bd2725eca14dc75651feced107c.

I'm able to create a branch from that reference locally the same way I specified above. After doing a bit more reading, i'm mostly confident that its nothing to worry about.

I'll contact the PR's author and request that they remove the go.mod and readme changes from that PR.

FatalReadError · Answer 7 · Fri Jul 03 2020 22:34:55 GMT+0800 (China Standard Time)

whew, sorry for raising the alarm! Looks like you're right on the money on that. Thanks, closing this!

FatalReadError · Answer 8 · Fri Jul 03 2020 22:40:46 GMT+0800 (China Standard Time)

What's strange about this: I received a commit notification from this repo for the above commit. I didn't think individual commits were notified.

However, the other commit in this pull looks good to me.

Tom Bevan · Answer 9 · Fri Jul 03 2020 22:49:12 GMT+0800 (China Standard Time)

Yeah, thats definitely strange. I'm not sure whether thats a bug with github notifications? Have you received anything for any other PR's opened recently?

FatalReadError · Answer 10 · Fri Jul 03 2020 22:55:18 GMT+0800 (China Standard Time)

No, but I only started watching this repo fairly recently. I also didn't receive any notification of the /other/ commit in this PR. And I didn't receive a notification of my test PR, but perhaps that was because I was the submitter.

FatalReadError · Answer 11 · Fri Jul 03 2020 23:06:02 GMT+0800 (China Standard Time)

That is so strange. I just got notification of my reply. I agree -- there's definitely some bugs in Github notifications.