On Tue, Dec 11, 2018 at 12:45:16PM +0100, Ævar Arnfjörð Bjarmason wrote: > > I don't know if there's a good solution. I tried running the whole > > test suite with v2 as the default. It does find this bug, but it has > > a bunch of other problems (notably fetch-pack won't run as v2, but > > some other tests I think also depend on v0's reachability rules, > > which v2 is documented not to enforce). > > I think a global test mode for it would be a very good idea. Yeah, but somebody needs to pick through the dozens of false positives for it to be useful. > > The patches are: > > > > [1/3]: serve: pass "config context" through to individual commands > > [2/3]: parse_hide_refs_config: handle NULL section > > [3/3]: upload-pack: support hidden refs with protocol v2 > > Does this issue rise to the level of needing a security point-release > (which I'm discussing here as the details are already public). The > transfer.hideRefs docs have said: > > Even if you hide refs, a client may still be able to steal the > target objects via the techniques described in the "SECURITY" > section of the gitnamespaces(7) man page; it’s best to keep private > data in a separate repository. > > So we never promised to hide the objects, but definitely promised to > hide the ref names. I don't know if anyone uses this in practice for > secret ref names, but if they do they have a data leak if they enable > protocol v2. Yes, that was my line of thinking. You can't really consider such items secure, though it is unfortunate that this leak makes it way easier to access them (you can just fetch them, rather than playing oracle-guessing games with deltas). At GitHub we keep some internal book-keeping refs, but exposing them to the user is mostly an annoyance. One thing to note is that there's no "enable protocol v2". If you're running a recent enough Git (v2.18+?) on the server, anybody can ask for these refs. > More importantly, the docs for receive.hideRefs say. "An attempt to > update or delete a hidden ref by git push is rejected.". It seems this > bit was enforced, i.e. this passes before and after your 3/3, but I have > not dug enough to be 100% satisfied with that. This part is OK. There is no v2 push protocol yet, so you end up running the regular v0 receive-pack. -Peff
