Thread (329 messages) 329 messages, 12 authors, 2018-03-14

Re: [PATCH v3 04/35] upload-pack: convert to a builtin

From: Jonathan Nieder <hidden>
Date: 2018-02-22 19:38:32

Hi,

Jeff King wrote:
On Thu, Feb 22, 2018 at 10:07:15AM -0800, Brandon Williams wrote:
quoted
On 02/22, Jeff King wrote:
quoted
On Wed, Feb 21, 2018 at 01:44:22PM -0800, Jonathan Tan wrote:
quoted
On Tue,  6 Feb 2018 17:12:41 -0800
Brandon Williams [off-list ref] wrote:
quoted
quoted
quoted
quoted
In order to allow for code sharing with the server-side of fetch in
protocol-v2 convert upload-pack to be a builtin.
[...]
quoted
quoted
quoted
As Stefan mentioned in [1], also mention in the commit message that this
means that the "git-upload-pack" invocation gains additional
capabilities (for example, invoking a pager for --help).
And possibly respecting pager.upload-pack, which would violate our rule
that it is safe to run upload-pack in untrusted repositories.
And this isn't an issue with receive-pack because this same guarantee
doesn't exist?
Yes, exactly (which is confusing and weird, yes, but that's how it is).
To be clear, which of the following are you (most) worried about?

 1. being invoked with --help and spawning a pager
 2. receiving and acting on options between 'git' and 'upload-pack'
 3. repository discovery
 4. pager config
 5. alias discovery
 6. increased code surface / unknown threats

For (1), "--help" has to be the first argument.  "git daemon" passes
--strict so it doesn't happen there.  "git http-backend" passes
--stateless-rpc so it doesn't happen there.  "git shell" sanitizes
input to avoid it happening there.

A custom setup could provide their own entry point that doesn't do
such sanitization.  I think that in some sense it's out of our hands,
but it would be nice to harden as described upthread.

For (2), I am having trouble imagining a setup where it would happen.

upload-pack doesn't have the RUN_SETUP or RUN_SETUP_GENTLY flag set,
so (3) doesn't apply.

Although in most setups the user does not control the config files on
a server, item (4) looks like a real issue worth solving.  I think we
should introduce a flag to skip looking for pager config.  We could
use it for receive-pack, too.

Builtins are handled before aliases, so (5) doesn't apply.

(6) is a real issue: it is why "git shell" is not a builtin, for
example.  But I would rather that we use appropriate sanitization
before upload-pack is invoked than live in fear.  git upload-pack is
sufficiently complicated that I don't think the git.c wrapper
increases the complexity by a significant amount.

That leaves me with a personal answer of only being worried about (4)
and not the rest.  What do you think?  Is one of the other items I
listed above worrisome, or is there another item I missed?

Thanks,
Jonathan
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help