Pkg.jl: `]add $PACKAGE_NAME#remotes/cache/pull/$NUM/head` works; a feature or a security hole?

I think it's in general impossible to know what a git ref "means". The fact that a branch named remotes/cache/pull/<num>/head exists within the remote repository is just an implementation detail of GitHub; on GitLab this may not work or it may be available as pull_requests/by_issue_num/<num>, etc... I don't think Pkg can really do anything about this, because it is also completely valid for you as a user to have a git repository with a branch name that actually is remotes/cache/pull/99999/head. As an example, I just did that right here.

So it's impossible to know if this is "unsafe" code or an actually desirable branch name from Pkg's perspective, and even if we did try to "block" things matching this pattern, GitHub may change their internal representation eventually.

I was thinking to prepend refs/remotes/origin/ to the branch supplied by the user. Assuming that libgit2 has git-rev-parse-like behavior, wouldn't this (more or less) ensure that it is the branch name of the origin? But I just noticed that ]add claims to support specifying the commit hash. So Pkg would have to fallback to treat the given #name as the commit hash to support it.

I just tried to reproduce this and I couldn't. How are you seeing this behavior?

Here is a quick oneliner to see it:

HOME="$(mktemp -d --suffix "-julia")" julia -i --color=yes --startup-file=no -e 'using Pkg; pkg"add PyCall#remotes/cache/pull/556/head"'

It seems that it works outside my laptop: https://github.com/JuliaPy/PyCall.jl/issues/565#issuecomment-422320792

I would say this is a feature.

There's no such thing as client-side security.