Skip to content
  • Nick Thomas's avatar
    3c6bc2db
    Limit the negotiation phase for certain Gitaly RPCs · 3c6bc2db
    Nick Thomas authored and Patrick Bajao's avatar Patrick Bajao committed
    In most cases, Gitaly trusts that the caller of the RPC has validated
    that the user is permitted to perform the action represented by the RPC
    and doesn't repeat any access control checks. Where an RPC reads data
    from a client-controlled stream before acting, the time between the
    check and the operation can be artificially extended. This can lead to
    security issues where
    
    Solve this by placing a limit on the *negotiation phase* of two RPCs
    that are known to be vulnerable:
    
    * ssh.SSHUploadPack
    * ssh.SSHUploadArchive
    
    These RPCs are known not to be vulnerable, for one reason or another:
    
    * ssh.SSHReceivePack
    * smarthttp.ReceivePack
    
    The smarthttp.UploadPack RPC is vulnerable, but the vulnerability is
    being handled in Workhorse.
    3c6bc2db
    Limit the negotiation phase for certain Gitaly RPCs
    Nick Thomas authored and Patrick Bajao's avatar Patrick Bajao committed
    In most cases, Gitaly trusts that the caller of the RPC has validated
    that the user is permitted to perform the action represented by the RPC
    and doesn't repeat any access control checks. Where an RPC reads data
    from a client-controlled stream before acting, the time between the
    check and the operation can be artificially extended. This can lead to
    security issues where
    
    Solve this by placing a limit on the *negotiation phase* of two RPCs
    that are known to be vulnerable:
    
    * ssh.SSHUploadPack
    * ssh.SSHUploadArchive
    
    These RPCs are known not to be vulnerable, for one reason or another:
    
    * ssh.SSHReceivePack
    * smarthttp.ReceivePack
    
    The smarthttp.UploadPack RPC is vulnerable, but the vulnerability is
    being handled in Workhorse.
Loading