 8c735b11de
			
		
	
	8c735b11de
	
	
	
		
			
			We added an "object-info" capability to the v2 upload-pack protocol in
a2ba162cda (object-info: support for retrieving object info,
2021-04-20). In the almost 3 years since, we have not added any
client-side support, and it does not appear to exist in other
implementations either (JGit understands the verb on the server side,
but not on the client side).
Since this largely unused code is accessible over the network by
default, it increases the attack surface of upload-pack. I don't know of
any particularly severe problem, but one issue is that because of the
request/response nature of the v2 protocol, it will happily read an
unbounded number of packets, adding each one to a string list (without
regard to whether they are objects we know about, duplicates, etc).
This may be something we want to improve in the long run, but in the
short term it makes sense to disable the feature entirely. We'll add a
config option as an escape hatch for anybody who wants to develop the
feature further.
A more gentle option would be to add the config option to let people
disable it manually, but leave it enabled by default. But given that
there's no client side support, that seems like the wrong balance with
security.
Disabling by default will slow adoption a bit once client-side support
does become available (there were some patches[1] in 2022, but nothing
got merged and there's been nothing since). But clients have to deal
with older servers that do not understand the option anyway (and the
capability system handles that), so it will just be a matter of servers
flipping their config at that point (and hopefully once any unbounded
allocations have been addressed).
[jk: this is a patch that GitHub has been running for several years, but
     rebased forward and with a new commit message for upstream]
[1] https://lore.kernel.org/git/20220208231911.725273-1-calvinwan@google.com/
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
		
	
		
			
				
	
	
		
			162 lines
		
	
	
		
			3.9 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			162 lines
		
	
	
		
			3.9 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
| #!/bin/sh
 | |
| 
 | |
| test_description='test functionality common to smart fetch & push'
 | |
| 
 | |
| TEST_PASSES_SANITIZE_LEAK=true
 | |
| . ./test-lib.sh
 | |
| 
 | |
| test_expect_success 'setup' '
 | |
| 	test_commit --no-tag initial
 | |
| '
 | |
| 
 | |
| test_expect_success 'git upload-pack --http-backend-info-refs and --advertise-refs are aliased' '
 | |
| 	git upload-pack --http-backend-info-refs . >expected 2>err.expected &&
 | |
| 	git upload-pack --advertise-refs . >actual 2>err.actual &&
 | |
| 	test_cmp err.expected err.actual &&
 | |
| 	test_cmp expected actual
 | |
| '
 | |
| 
 | |
| test_expect_success 'git receive-pack --http-backend-info-refs and --advertise-refs are aliased' '
 | |
| 	git receive-pack --http-backend-info-refs . >expected 2>err.expected &&
 | |
| 	git receive-pack --advertise-refs . >actual 2>err.actual &&
 | |
| 	test_cmp err.expected err.actual &&
 | |
| 	test_cmp expected actual
 | |
| '
 | |
| 
 | |
| test_expect_success 'git upload-pack --advertise-refs' '
 | |
| 	cat >expect <<-EOF &&
 | |
| 	$(git rev-parse HEAD) HEAD
 | |
| 	$(git rev-parse HEAD) $(git symbolic-ref HEAD)
 | |
| 	0000
 | |
| 	EOF
 | |
| 
 | |
| 	# We only care about GIT_PROTOCOL, not GIT_TEST_PROTOCOL_VERSION
 | |
| 	sane_unset GIT_PROTOCOL &&
 | |
| 	GIT_TEST_PROTOCOL_VERSION=2 \
 | |
| 	git upload-pack --advertise-refs . >out 2>err &&
 | |
| 
 | |
| 	test-tool pkt-line unpack <out >actual &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect &&
 | |
| 
 | |
| 	# The --advertise-refs alias works
 | |
| 	git upload-pack --advertise-refs . >out 2>err &&
 | |
| 
 | |
| 	test-tool pkt-line unpack <out >actual &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect
 | |
| '
 | |
| 
 | |
| test_expect_success 'git upload-pack --advertise-refs: v0' '
 | |
| 	# With no specified protocol
 | |
| 	cat >expect <<-EOF &&
 | |
| 	$(git rev-parse HEAD) HEAD
 | |
| 	$(git rev-parse HEAD) $(git symbolic-ref HEAD)
 | |
| 	0000
 | |
| 	EOF
 | |
| 
 | |
| 	git upload-pack --advertise-refs . >out 2>err &&
 | |
| 	test-tool pkt-line unpack <out >actual &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect &&
 | |
| 
 | |
| 	# With explicit v0
 | |
| 	GIT_PROTOCOL=version=0 \
 | |
| 	git upload-pack --advertise-refs . >out 2>err &&
 | |
| 	test-tool pkt-line unpack <out >actual 2>err &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect
 | |
| 
 | |
| '
 | |
| 
 | |
| test_expect_success 'git receive-pack --advertise-refs: v0' '
 | |
| 	# With no specified protocol
 | |
| 	cat >expect <<-EOF &&
 | |
| 	$(git rev-parse HEAD) $(git symbolic-ref HEAD)
 | |
| 	0000
 | |
| 	EOF
 | |
| 
 | |
| 	git receive-pack --advertise-refs . >out 2>err &&
 | |
| 	test-tool pkt-line unpack <out >actual &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect &&
 | |
| 
 | |
| 	# With explicit v0
 | |
| 	GIT_PROTOCOL=version=0 \
 | |
| 	git receive-pack --advertise-refs . >out 2>err &&
 | |
| 	test-tool pkt-line unpack <out >actual 2>err &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect
 | |
| 
 | |
| '
 | |
| 
 | |
| test_expect_success 'git upload-pack --advertise-refs: v1' '
 | |
| 	# With no specified protocol
 | |
| 	cat >expect <<-EOF &&
 | |
| 	version 1
 | |
| 	$(git rev-parse HEAD) HEAD
 | |
| 	$(git rev-parse HEAD) $(git symbolic-ref HEAD)
 | |
| 	0000
 | |
| 	EOF
 | |
| 
 | |
| 	GIT_PROTOCOL=version=1 \
 | |
| 	git upload-pack --advertise-refs . >out &&
 | |
| 
 | |
| 	test-tool pkt-line unpack <out >actual 2>err &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect
 | |
| '
 | |
| 
 | |
| test_expect_success 'git receive-pack --advertise-refs: v1' '
 | |
| 	# With no specified protocol
 | |
| 	cat >expect <<-EOF &&
 | |
| 	version 1
 | |
| 	$(git rev-parse HEAD) $(git symbolic-ref HEAD)
 | |
| 	0000
 | |
| 	EOF
 | |
| 
 | |
| 	GIT_PROTOCOL=version=1 \
 | |
| 	git receive-pack --advertise-refs . >out &&
 | |
| 
 | |
| 	test-tool pkt-line unpack <out >actual 2>err &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect
 | |
| '
 | |
| 
 | |
| test_expect_success 'git upload-pack --advertise-refs: v2' '
 | |
| 	cat >expect <<-EOF &&
 | |
| 	version 2
 | |
| 	agent=FAKE
 | |
| 	ls-refs=unborn
 | |
| 	fetch=shallow wait-for-done
 | |
| 	server-option
 | |
| 	object-format=$(test_oid algo)
 | |
| 	0000
 | |
| 	EOF
 | |
| 
 | |
| 	GIT_PROTOCOL=version=2 \
 | |
| 	GIT_USER_AGENT=FAKE \
 | |
| 	git upload-pack --advertise-refs . >out 2>err &&
 | |
| 
 | |
| 	test-tool pkt-line unpack <out >actual &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect
 | |
| '
 | |
| 
 | |
| test_expect_success 'git receive-pack --advertise-refs: v2' '
 | |
| 	# There is no v2 yet for receive-pack, implicit v0
 | |
| 	cat >expect <<-EOF &&
 | |
| 	$(git rev-parse HEAD) $(git symbolic-ref HEAD)
 | |
| 	0000
 | |
| 	EOF
 | |
| 
 | |
| 	GIT_PROTOCOL=version=2 \
 | |
| 	git receive-pack --advertise-refs . >out 2>err &&
 | |
| 
 | |
| 	test-tool pkt-line unpack <out >actual &&
 | |
| 	test_must_be_empty err &&
 | |
| 	test_cmp actual expect
 | |
| '
 | |
| 
 | |
| test_done
 |