From 2362ce9cfa18a41f877c475dd97519726aeb045f Mon Sep 17 00:00:00 2001
From: Kate <kit-ty-kate@outlook.com>
Date: Tue, 13 Aug 2024 13:13:41 +0100
Subject: [PATCH 1/3] gha: Allow local git submodules in preamble.sh (ignore
 CVE-2022-39253)

---
 .github/scripts/main/preamble.sh | 1 +
 master_changes.md                | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/scripts/main/preamble.sh b/.github/scripts/main/preamble.sh
index 19bb37f5032..2dce9b112cd 100644
--- a/.github/scripts/main/preamble.sh
+++ b/.github/scripts/main/preamble.sh
@@ -32,6 +32,7 @@ git config --global user.email "gha@example.com"
 git config --global user.name "Github Actions CI"
 git config --global gc.autoDetach false
 git config --global init.defaultBranch thisShouldNotHappen
+git config --global protocol.file.allow always
 
 if [ -d ~/opam-repository ]; then
   OPAM_REPO_CACHE=file://$HOME/opam-repository
diff --git a/master_changes.md b/master_changes.md
index c3583d1c2b4..06a20809761 100644
--- a/master_changes.md
+++ b/master_changes.md
@@ -181,6 +181,7 @@ users)
   * Update action cache to v4 [#6081 @rjbou]
   * Update action checkout to v4 [#6081 @rjbou]
   * Update action upload-artifact to v4 [#6081 @rjbou]
+  * preamble: Allow local git submodules (ignore CVE-2022-39253) [#6132 @kit-ty-kate]
 
 ## Doc
   * Remove the ppa from the installation instructions on Ubuntu [#5988 @kit-ty-kate - fix #5987]

From 7dbca0c3ab56c582265aeb8f9c2edc4465c3bdeb Mon Sep 17 00:00:00 2001
From: Kate <kit-ty-kate@outlook.com>
Date: Tue, 13 Aug 2024 13:13:41 +0100
Subject: [PATCH 2/3] reftest: add a test for git packages with submodules

---
 master_changes.md       |  1 +
 tests/reftests/dune.inc | 21 ++++++++++++
 tests/reftests/git.test | 74 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 96 insertions(+)
 create mode 100644 tests/reftests/git.test

diff --git a/master_changes.md b/master_changes.md
index 06a20809761..4cc7860d3bc 100644
--- a/master_changes.md
+++ b/master_changes.md
@@ -161,6 +161,7 @@ users)
   * Add a test filtering mechanism [#6105 @Keryan-dev]
   * Add a package fetching test [#6146 @rjbou]
   * Add a test showing the behaviour of `opam switch list-available` [#6098 @kit-ty-kate]
+  * Add a test for git packages with submodules [#6132 @kit-ty-kate]
 
 ### Engine
   * Add a test filtering mechanism [#6105 @Keryan-dev]
diff --git a/tests/reftests/dune.inc b/tests/reftests/dune.inc
index f34cdd8ec3c..9496f04fec6 100644
--- a/tests/reftests/dune.inc
+++ b/tests/reftests/dune.inc
@@ -818,6 +818,27 @@
    %{targets}
    (run ./run.exe %{exe:../../src/client/opamMain.exe.exe} %{dep:filter-operators.test} %{read-lines:testing-env}))))
 
+(rule
+ (alias reftest-git)
+ (enabled_if (and  (or (<> %{env:TESTALL=1} 0) (= %{env:TESTN0REP0=0} 1))))
+ (action
+  (diff git.test git.out)))
+
+(alias
+ (name reftest)
+ (enabled_if (and  (or (<> %{env:TESTALL=1} 0) (= %{env:TESTN0REP0=0} 1))))
+ (deps (alias reftest-git)))
+
+(rule
+ (targets git.out)
+ (deps root-N0REP0)
+ (enabled_if (and  (or (<> %{env:TESTALL=1} 0) (= %{env:TESTN0REP0=0} 1))))
+ (package opam)
+ (action
+  (with-stdout-to
+   %{targets}
+   (run ./run.exe %{exe:../../src/client/opamMain.exe.exe} %{dep:git.test} %{read-lines:testing-env}))))
+
 (rule
  (alias reftest-init-ocaml-eval-variables.unix)
  (enabled_if (and (= %{os_type} "Unix") (or (<> %{env:TESTALL=1} 0) (= %{env:TESTN0REP0=0} 1))))
diff --git a/tests/reftests/git.test b/tests/reftests/git.test
new file mode 100644
index 00000000000..187baa24096
--- /dev/null
+++ b/tests/reftests/git.test
@@ -0,0 +1,74 @@
+N0REP0
+### : Check the bevahiour when presented with a broken submodule
+### mkdir submodule
+### git -C ./submodule init -q
+### git -C ./submodule config core.autocrlf false
+### touch ./submodule/some-file
+### git -C ./submodule add ./some-file
+### git -C ./submodule commit -qm "first commit"
+### mkdir use-submodule
+### git -C ./use-submodule init -q
+### git -C ./use-submodule config core.autocrlf false
+### ### This test may fail locally depending on your git version
+### ### File protocol is removed locally since git 2.38,
+### ### to fix a CVE: https://www.cve.org/CVERecord?id=CVE-2022-39253
+### git -C ./use-submodule submodule add ../submodule ./vendor
+Cloning into '${BASEDIR}/use-submodule/vendor'...
+done.
+### git -C ./use-submodule commit -qm "first commit"
+### <create-submodule-pkg.sh>
+mkdir -p REPO/packages/submodule/submodule.1
+ESCAPED_BASEDIR=$(printf '%s' "$BASEDIR" | sed 's/\\/\\\\/g')
+cat > REPO/packages/submodule/submodule.1/opam << EOF
+opam-version: "2.0"
+build: ["ls" "vendor/some-file"]
+url {
+  src: "git+file://${ESCAPED_BASEDIR}/use-submodule"
+}
+EOF
+### sh ./create-submodule-pkg.sh
+### opam update
+
+<><> Updating package repositories ><><><><><><><><><><><><><><><><><><><><><><>
+[default] synchronised from file://${BASEDIR}/REPO
+Now run 'opam upgrade' to apply any package updates.
+### opam switch create submodule --empty
+### opam install submodule
+The following actions will be performed:
+=== install 1 package
+  - install submodule 1
+
+<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+-> retrieved submodule.1  (git+file://${BASEDIR}/use-submodule)
+-> installed submodule.1
+Done.
+### rm -r ./submodule
+### opam remove submodule
+The following actions will be performed:
+=== remove 1 package
+  - remove submodule 1
+
+<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+-> removed   submodule.1
+Done.
+### opam install submodule
+The following actions will be performed:
+=== install 1 package
+  - install submodule 1
+
+<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+[WARNING] Git submodule update failed in ${BASEDIR}/OPAM/submodule/.opam-switch/sources/submodule.1
+-> retrieved submodule.1  (git+file://${BASEDIR}/use-submodule)
+[ERROR] The compilation of submodule.1 failed at "ls vendor/some-file".
+
+##% output ###
+# ls: cannot access 'vendor/some-file': No such file or directory
+
+
+
+<><> Error report <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
++- The following actions failed
+| - build submodule 1
++- 
+- No changes have been performed
+# Return code 31 #

From d442c01f1d169aeca1d597e3b6957a4191c75181 Mon Sep 17 00:00:00 2001
From: Kate <kit-ty-kate@outlook.com>
Date: Wed, 31 Jul 2024 09:56:00 +0100
Subject: [PATCH 3/3] Fail when git submodule fails to update instead of
 showing a warning and ignoring the error

---
 master_changes.md         |  1 +
 src/repository/opamGit.ml |  4 +---
 tests/reftests/git.test   | 16 +++++++---------
 3 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/master_changes.md b/master_changes.md
index 4cc7860d3bc..e9bc7d044a7 100644
--- a/master_changes.md
+++ b/master_changes.md
@@ -89,6 +89,7 @@ users)
 ## Sandbox
 
 ## VCS
+  * Fail when git submodule fails to update instead of showing a warning and ignoring the error [#6132 @kit-ty-kate - fix #6131]
 
 ## Build
  * Synchronise opam-core.opam with opam-repository changes [#6043 @dra27]
diff --git a/src/repository/opamGit.ml b/src/repository/opamGit.ml
index 49980641c77..1b2f4c565df 100644
--- a/src/repository/opamGit.ml
+++ b/src/repository/opamGit.ml
@@ -179,9 +179,7 @@ module VCS : OpamVCS.VCS = struct
       if OpamFilename.exists (repo_root // ".gitmodules") then
         git repo_root [ "submodule"; "update"; "--init"; "--recursive" ]
         @@> fun r ->
-        if OpamProcess.is_failure r then
-          OpamConsole.warning "Git submodule update failed in %s"
-            (OpamFilename.Dir.to_string repo_root);
+        OpamSystem.raise_on_process_error r;
         Done ()
       else Done ()
 
diff --git a/tests/reftests/git.test b/tests/reftests/git.test
index 187baa24096..5f7d54346a6 100644
--- a/tests/reftests/git.test
+++ b/tests/reftests/git.test
@@ -51,24 +51,22 @@ The following actions will be performed:
 <><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
 -> removed   submodule.1
 Done.
-### opam install submodule
+### opam install submodule | '".+[/\\]git(\.exe)? ' -> '"git '
 The following actions will be performed:
 === install 1 package
   - install submodule 1
 
 <><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
-[WARNING] Git submodule update failed in ${BASEDIR}/OPAM/submodule/.opam-switch/sources/submodule.1
--> retrieved submodule.1  (git+file://${BASEDIR}/use-submodule)
-[ERROR] The compilation of submodule.1 failed at "ls vendor/some-file".
-
-##% output ###
-# ls: cannot access 'vendor/some-file': No such file or directory
+[ERROR] Could not synchronize ${BASEDIR}/OPAM/submodule/.opam-switch/sources/submodule.1 from "git+file://${BASEDIR}/use-submodule":
+        "git submodule update --init --recursive" exited with code 1
+[ERROR] Failed to get sources of submodule.1: git+file://${BASEDIR}/use-submodule
 
+OpamSolution.Fetch_fail("git+file://${BASEDIR}/use-submodule")
 
 
 <><> Error report <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
 +- The following actions failed
-| - build submodule 1
+| - fetch submodule 1
 +- 
 - No changes have been performed
-# Return code 31 #
+# Return code 40 #