Nick Thomas authored 5 years ago and Patrick Bajao committed 5 years ago

In most cases, Gitaly trusts that the caller of the RPC has validated
that the user is permitted to perform the action represented by the RPC
and doesn't repeat any access control checks. Where an RPC reads data
from a client-controlled stream before acting, the time between the
check and the operation can be artificially extended. This can lead to
security issues where

Solve this by placing a limit on the *negotiation phase* of two RPCs
that are known to be vulnerable:

* ssh.SSHUploadPack
* ssh.SSHUploadArchive

These RPCs are known not to be vulnerable, for one reason or another:

* ssh.SSHReceivePack
* smarthttp.ReceivePack

The smarthttp.UploadPack RPC is vulnerable, but the vulnerability is
being handled in Workhorse.

- feature toggle 'get_tag_messages_go'
- go implementation
Closes: #2123

`catfile` provides a nice wrapper around `git cat-file`, and it was
using the 'wrong' way of doing Git commands. This change uses the Git
DSL for catfile, and slightly refactors the package to use the
repository.GitRepo interface.

Closes: #1934, #1933

Adds an RPC to get a repository's object pool. Also added a method under
internal/git/objectpool to get an object pool of a repository.

Closes #1947

Closes #1944

As part of the epic that moves away for the git.Command usage, and to
the git.SafeCmd usage
(&1893), this package was
ported to the git.SafeCmd form.

Closes: #1945
Closes: #1946

Closes: #1936
Closes: #1935

In git@014ade74
the behaviour of upload-pack changed to be explicit about missing refs.
In the Gitaly test the assertion was made against the output of the
command being empty. This is no longer the case, so now an assertion is
made against the output.

This itself might break in the furture, but given the test is about hidden
refs it's probably better to have this test break somewhere in the
future than remove the assertion or weaken it.