Git fetcher: Don't compute revCount if it's already specified

edolstra · edolstra · commit 2c2a0d8b29c4 · 2025-11-19T20:49:08.000+01:00
We don't care if the user (or more likely the lock file) specifies
an incorrect value for revCount, since it doesn't matter for
security (unlikely content hashes like narHash).
diff --git a/src/libfetchers/fetchers.cc b/src/libfetchers/fetchers.cc
@@ -282,11 +282,6 @@ void Input::checkLocks(Input specified, Input & result)
         if (result.getRev() != prevRev)
             throw Error("'rev' attribute mismatch in input '%s', expected %s", result.to_string(), prevRev->gitRev());
     }
-
-    if (auto prevRevCount = specified.getRevCount()) {
-        if (result.getRevCount() != prevRevCount)
-            throw Error("'revCount' attribute mismatch in input '%s', expected %d", result.to_string(), *prevRevCount);
-    }
 }
 
 std::pair<ref<SourceAccessor>, Input> Input::getAccessor(const Settings & settings, Store & store) const
diff --git a/src/libfetchers/git.cc b/src/libfetchers/git.cc
@@ -891,8 +891,13 @@ struct GitInputScheme : InputScheme
 
         input.attrs.insert_or_assign("lastModified", getLastModified(settings, repoInfo, repoDir, rev));
 
-        if (!getShallowAttr(input))
-            input.attrs.insert_or_assign("revCount", getRevCount(settings, repoInfo, repoDir, rev));
+        if (!getShallowAttr(input)) {
+            /* Skip revCount computation if it's already supplied by the caller.
+               We don't care if they specify an incorrect value; it doesn't
+               matter for security, unlike narHash. */
+            if (!input.attrs.contains("revCount"))
+                input.attrs.insert_or_assign("revCount", getRevCount(settings, repoInfo, repoDir, rev));
+        }
 
         printTalkative("using revision %s of repo '%s'", rev.gitRev(), repoInfo.locationToArg());
 
diff --git a/tests/nixos/tarball-flakes.nix b/tests/nixos/tarball-flakes.nix
@@ -99,7 +99,6 @@ in
 
       # Check that fetching fails if we provide incorrect attributes.
       machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?rev=493300eb13ae6fb387fbd47bf54a85915acc31c0")
-      machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?revCount=789")
       machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?narHash=sha256-tbudgBSg+bHWHiHnlteNzN8TUvI80ygS9IULh4rklEw=")
     '';
 

Original file line number	Diff line number	Diff line change
`@@ -282,11 +282,6 @@ void Input::checkLocks(Input specified, Input & result)`
`282`	`282`	`if (result.getRev() != prevRev)`
`283`	`283`	`throw Error("'rev' attribute mismatch in input '%s', expected %s", result.to_string(), prevRev->gitRev());`
`284`	`284`	`}`
`285`		`-`
`286`		`- if (auto prevRevCount = specified.getRevCount()) {`
`287`		`- if (result.getRevCount() != prevRevCount)`
`288`		`- throw Error("'revCount' attribute mismatch in input '%s', expected %d", result.to_string(), *prevRevCount);`
`289`		`- }`
`290`	`285`	`}`
`291`	`286`
`292`	`287`	`std::pair<ref<SourceAccessor>, Input> Input::getAccessor(const Settings & settings, Store & store) const`