Оvercommit - convenient Git hook manager

Voldemar Duletskiy, Ruby developer, Evrone, Moscow Ruby Meet-up 6 report
01 August 2017   2811
Ruby

Dynamic, open source programming language with a focus on simplicity and productivity, it has an elegant syntax that is natural to read and easy to write.

Hello Ruby fans! Today we will talk about Overcommit - the convenient management of git-hooks.

Imagine that you have a small project with a micro-team of three or four people, including the manager. Deadline is near, but you cannot lower the quality of the code. You don't wanna use CI and there are no extra money for it.

What is hooks and where are they located?

It is the scripts that are executed at certain event. You can view all existing hooks by running the following command:

ls -la .git/hooks

You will see this listing:

-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 commit-msg
-rwxr-xr-x   1 voldemar  staff  3755 28 июн 16:39 overcommit-hook
-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 post-checkout
-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 post-commit
-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 post-merge
-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 post-rewrite
-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 pre-commit
-rwxr-xr-x   1 voldemar  staff   673  2 Jun 14:37 pre-commit.sh
-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 pre-push
-rwxr-xr-x   1 voldemar  staff  3755 28 Jun 16:39 pre-rebase

Hook is an executable file, which can content anything, including the Ruby code.

Why it is cool?

  • You can put linters like rubocop to the pre-commit hooks. It will not allow you to commit substandard code
  • You can hang up rspec to the pre-push hooks, and if the tests are dropped - cancel code sending
  • If you are already actively using hooks - you don't need to drag them from one repository to another, they all lie in .ovecommit.yml in a convenient format
RuboCop

Ruby static code analyzer, based on the community Ruby style guide

If you suffer from dispersion and you are sick of messages from your CI that tests have dropped again, or the ruby-cop found a million syntactic violations (or your colleagues in the code-review process). If you are an experienced developer, a good set of hooks seriously discourages young developers and reduces your code-review time. 

Intallation

Gemfile:

gem 'overcommit'

Execude from the consol:

bundle exec overcommit --install

 Now let's edit .overcommit.yml file

PreCommit:
  RuboCop:
    enabled: true
    command: ['bin/bundle', 'exec', 'rubocop', '-R']
    on_warn: fail
  HamlLint:
    enabled: true
    command: ['bin/bundle', 'exec', 'haml-lint', 'app/views/']
    on_warn: fail
  ScssLint:
    enabled: true
    command: ['bin/bundle', 'exec', 'scss-lint']
    include: 'app/assets/**/*.scss'
    on_warn: fail

PrePush:
  RSpec:
    enabled: true

We can see here that the launch of the rubocop scripts is describled in nice forman. haml-linter, sccs-linter and tests runs just before the commit.

In order to enforce hook running this should be executed:

bundle exec overcommit -R

Now, with every attempt to commit something, checks will be performed firstly.

 

Underwater rocks

If there are a lot of tests or they are dropping randomly - if you already have a habit to brew coffee while test runs, it's better to chop the hook responsible for running the tests. If they fall randomly - fix the tests at last, damn it.

Integration with Rubymine - I have serious problems with the integration of Overcommit and Rubymine

Continuous Integration

The practice of merging all developer working copies to a shared mainline several times a day

Overcommit and CI integration - if you still decide to connect CI, then most likely it already provides validation for the code. Often, their rules don't match and you have to adjust the settings, for example Rubocop under CI, or vice versa.

You can skip hooks by running git commit --no-verify

Conclusion

Overcommit is an excellent utility for maintaining a project in good shape for small teams. It will allow you not to grab your head every time after creating a pool of the requester with exclamations "Damn, I forgot to use rubocop again!" or "Damn, all the tests fell!".

Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   157

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;