SaaS: Whitelist badEmail errors within the git fsck checks
The Gitaly team is going to investigate, and provide recommendations around which git fsck
checks can be whitelisted. This effort is captured under Analyze exceptions to the `git fsck` command (gitaly#5641)
Problem
Gitaly validates repository integrity, in part by utilizing the git fsck
command. Commits with an invalid email address are currently caught by this command and the push to GitLab.com is rejected.
Technical Background
In general, git-fsck(1) checks fall into two categories:
- Inconsistencies that were at some point in time caused by bugs in old tools and that are generally benign. Zero-padded file modes fall into this category.
- Constructs that can cause exploits on the client-side.
Generally disabling git-fsck(1) on SaaS would be unacceptable due to the second bullet point. We do not want to make platforms like GitLab.com a potential attack vector for adversaries that upload repositories that contain objects which are known to trigger exploits on the client-side.
For the first item we have in the past settled on an allow-list on the Gitaly side where we disable certain git-fsck(1) checks that are known-benign. Right now we have three items in this list:
- badTimzeone
- missingSpaceBeforeDate
- zeroPaddedFilemode
Proposed Solution
It is possible that we extend the allow list further to include additional known-benign fsck checks that would then be ignored. This would continue to be global across all projects though and thus not be configurable per-project.
User experience goal
Users should be able to push to repositories to GitLab.com that do not pose an inherent security or exploitation risk.