Re: Git bomb still present (at least in SUSE)?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(moving conversation to the main Git list.  I hope that's okay.)
Hi,

Jeff King wrote:
> On Tue, Jan 15, 2019 at 02:35:29PM +0100, Marketa Calabkova wrote:

>> meggy@irbis:/tmp/test> /usr/bin/time git clone
>> https://github.com/Katee/git-bomb.git
>> Cloning into 'git-bomb'...
>> remote: Enumerating objects: 18, done.
>> remote: Total 18 (delta 0), reused 0 (delta 0), pack-reused 18
>> Unpacking objects: 100% (18/18), done.
>> ^Cwarning: Clone succeeded, but checkout failed.
[...]
>   git clone --bare https://github.com/Katee/git-bomb.git
>   cd git-bomb.git
>   git read-tree HEAD ;# yikes!
>
> So I don't think there's a bug per se. It is possible that Git could
> have better protections against maliciously gigantic repositories, but I
> don't think anybody is actively working on such a feature (and it would
> involve much more than this case; it's pretty easy to generate trees
> with pessimal diffs, etc).

One thing I think interested people could do is introduce some kind of
"limits" subsystem into Git, so that a person could configure Git to
refuse to even try when it notices that an operation is going to be
sufficiently expensive.  I.e. something similar to what rlimits (or
other limits e.g. enforced in cgroups) provide in an operating system.

That said, as alluded to in the last paragraph, there's also some
protection possible at the operating system level.

So my feeling is that there's some real potential for improvement
here, and I'm happy to help mentor anyone working on it if it is their
itch (because of the "can handle at another level" thing, it is not
mine).

Thanks,
Jonathan



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux