[TOPIC 17/17] Security

Notes from Git Contributor Summit, Los Angeles (April 5, 2020) · James Ramsay <hidden> · 2020-03-12
[TOPIC 1/17] Reftable · James Ramsay <hidden> · 2020-03-12
[TOPIC 2/17] Hooks in the future · James Ramsay <hidden> · 2020-03-12
Re: [TOPIC 2/17] Hooks in the future · Emily Shaffer <hidden> · 2020-03-12
[TOPIC 3/17] Obliterate · James Ramsay <hidden> · 2020-03-12
Re: [TOPIC 3/17] Obliterate · Konstantin Ryabitsev <hidden> · 2020-03-12
Re: [TOPIC 3/17] Obliterate · Damien Robert <hidden> · 2020-03-15
Re: [TOPIC 3/17] Obliterate · Konstantin Tokarev <hidden> · 2020-03-16
Re: [TOPIC 3/17] Obliterate · Damien Robert <hidden> · 2020-03-26
Re: [TOPIC 3/17] Obliterate · Elijah Newren <hidden> · 2020-03-16
Re: [TOPIC 3/17] Obliterate · Damien Robert <hidden> · 2020-03-26
Re: [TOPIC 3/17] Obliterate · Phillip Susi <hidden> · 2020-03-16
Re: [TOPIC 3/17] Obliterate · Damien Robert <hidden> · 2020-03-26
Re: [TOPIC 3/17] Obliterate · Philip Oakley <hidden> · 2020-03-16
Re: [TOPIC 3/17] Obliterate · <hidden> · 2020-05-16
[TOPIC 4/17] Sparse checkout · James Ramsay <hidden> · 2020-03-12
[TOPIC 5/17] Partial Clone · James Ramsay <hidden> · 2020-03-12
Allowing only blob filtering was: [TOPIC 5/17] Partial Clone · Christian Couder <hidden> · 2020-03-17
[RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Taylor Blau <hidden> · 2020-03-17
[RFC PATCH 1/2] list_objects_filter_options: introduce 'list_object_filter_config_name' · Taylor Blau <hidden> · 2020-03-17
Re: [RFC PATCH 1/2] list_objects_filter_options: introduce 'list_object_filter_config_name' · Eric Sunshine <hidden> · 2020-03-17
Re: [RFC PATCH 1/2] list_objects_filter_options: introduce 'list_object_filter_config_name' · Jeff King <hidden> · 2020-03-18
Re: [RFC PATCH 1/2] list_objects_filter_options: introduce 'list_object_filter_config_name' · Eric Sunshine <hidden> · 2020-03-18
Re: [RFC PATCH 1/2] list_objects_filter_options: introduce 'list_object_filter_config_name' · Jeff King <hidden> · 2020-03-19
Re: [RFC PATCH 1/2] list_objects_filter_options: introduce 'list_object_filter_config_name' · Taylor Blau <hidden> · 2020-03-18
[RFC PATCH 2/2] upload-pack.c: allow banning certain object filter(s) · Taylor Blau <hidden> · 2020-03-17
Re: [RFC PATCH 2/2] upload-pack.c: allow banning certain object filter(s) · Eric Sunshine <hidden> · 2020-03-17
Re: [RFC PATCH 2/2] upload-pack.c: allow banning certain object filter(s) · Taylor Blau <hidden> · 2020-03-18
Re: [RFC PATCH 2/2] upload-pack.c: allow banning certain object filter(s) · Philip Oakley <hidden> · 2020-03-18
Re: [RFC PATCH 2/2] upload-pack.c: allow banning certain object filter(s) · Taylor Blau <hidden> · 2020-03-18
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Jeff King <hidden> · 2020-03-18
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Taylor Blau <hidden> · 2020-03-18
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Jeff King <hidden> · 2020-03-19
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Christian Couder <hidden> · 2020-04-17
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Taylor Blau <hidden> · 2020-04-17
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Jeff King <hidden> · 2020-04-17
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Christian Couder <hidden> · 2020-04-21
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Taylor Blau <hidden> · 2020-04-22
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Taylor Blau <hidden> · 2020-04-22
Re: [RFC PATCH 0/2] upload-pack.c: limit allowed filter choices · Christian Couder <hidden> · 2020-04-21
[TOPIC 6/17] GC strategies · James Ramsay <hidden> · 2020-03-12
[TOPIC 7/17] Background operations/maintenance · James Ramsay <hidden> · 2020-03-12
[TOPIC 8/17] Push performance · James Ramsay <hidden> · 2020-03-12
[TOPIC 9/17] Obsolescence markers and evolve · James Ramsay <hidden> · 2020-03-12
Re: [TOPIC 9/17] Obsolescence markers and evolve · Noam Soloveichik <hidden> · 2020-05-09
Re: [TOPIC 9/17] Obsolescence markers and evolve · Jeff King <hidden> · 2020-05-15
[TOPIC 10/17] Expel ‘git shell’? · James Ramsay <hidden> · 2020-03-12
[TOPIC 11/17] GPL enforcement · James Ramsay <hidden> · 2020-03-12
[TOPIC 12/17] Test harness improvements · James Ramsay <hidden> · 2020-03-12
[TOPIC 13/17] Cross implementation test suite · James Ramsay <hidden> · 2020-03-12
[TOPIC 14/17] Aspects of merge-ort: cool, or crimes against humanity? · James Ramsay <hidden> · 2020-03-12
[TOPIC 15/17] Reachability checks · James Ramsay <hidden> · 2020-03-12
[TOPIC 16/17] “I want areviewer” · James Ramsay <hidden> · 2020-03-12
Re: [TOPIC 16/17] “I want a reviewer” · Emily Shaffer <hidden> · 2020-03-12
Re: [TOPIC 16/17] “I want a reviewer” · Konstantin Ryabitsev <hidden> · 2020-03-12
Re: [TOPIC 16/17] “I want a reviewer” · Jonathan Nieder <hidden> · 2020-03-12
Re: [TOPIC 16/17] “I want a reviewer” · Konstantin Ryabitsev <hidden> · 2020-03-12
Re: [TOPIC 16/17] “I want a reviewer” · Philippe Blain <hidden> · 2020-03-17
Re: [TOPIC 16/17] “I want a reviewer” · Eric Wong <hidden> · 2020-03-13
Re: [TOPIC 16/17] “I want a reviewer” · Jeff King <hidden> · 2020-03-15
inbox indexing wishlist [was: [TOPIC 16/17] “I want a reviewer”] · Eric Wong <hidden> · 2020-03-15
[TOPIC 17/17] Security · James Ramsay <hidden> · 2020-03-12
Re: Notes from Git Contributor Summit, Los Angeles (April 5, 2020) · Derrick Stolee <hidden> · 2020-03-12
Re: Notes from Git Contributor Summit, Los Angeles (April 5, 2020) · Jeff King <hidden> · 2020-03-13

From: James Ramsay <hidden>
Date: 2020-03-12 04:16:11

1. Demtr: what are people doing to prevent security issues? For example, 
not allowing things into trees that would be problematic for various 
filesystems.

2. Jonathan N: transfer fsck objects by default, to validate at the 
trust boundary (in case some code paths at use time are missing some 
validation)

3. Peff: we have had buffer overflows, most are logic errors, and mostly 
paths related. Recently we’ve tightened up which paths are allowed. 
Forbidding things that might be valid on Linux, but problems on Windows. 
Can’t catch everything though, because Windows is so so complex

4. Stolee: I am fearful, and do not know all the rules.

5. Peff: I don’t think it is possible.

6. Demetr: only latin chars, numbers and a few other characters. Do not 
allow any special symbols.

7. Brian: that’s going to break lots of existing projects. Some 
projects have never been on Windows, and therefore people have no 
concern about Windows. People checking files that are strange to 
deliberately test strange files in their own software. If Windows has an 
API to test filepath, there is not much we can do to protect it. 
Compatibility is important.

8. Peff: probably some cleanup needed, maybe can’t clone git.git. Some 
paths that are innocuous, are a problem in strange situations.

9. Jonathan N: what in Git's design scares the crap out of you?

10. ZJ: GitLab shells out for everything. We had injections. Now we have 
a DSL to verify things. Looking at --end-of-options.

11. Peff: C is terrifying. Rust rewrite please. Still have integer 
overflow risks. Tried to deal with it a few years ago, and found some 
more a few months back. A happy story: OID array uses signed integer, 
because no-one has more than 2billion objects. Someone had 3billion 
objects. Just the SHA1s are 60GB. Found it because it triggered overflow 
in st_add. As soon as they wrapped around, it crashed, preventing under 
allocation

12. Jeff H: communication between processes

13. <musical interlude>

14. Peff: I feel good about where we read and write strings to each 
other. Maybe if we were using JSON encode/decode it might be easier to 
handle obscure cases

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help