Skip to content

Detect git pull/clone audit event?

Delivery Note

This issue was delivered in GitLab 16.4. However, it is behind a default disabled feature flag. The rollout of the feature flag and the feature becoming available can be tracked in #415138..

relate JH issue: https://jihulab.com/gitlab-cn/gitlab/-/issues/1000 @xfyuan, please take a look at this issue

Hi, there

GitHub support git.clone/git.fetch audit event since 2020.10 in this blog, technically it is doable however so far gitlab didn't support it. Gitlab can only tell git-receive-pack, git-upload-pack and git-upload-archive event, which is too detail git action, and cannot tell user it is git.clone event or git.pull event.

On the other hand, many customer said they are interested about it, like #2494 (closed) and gitlab-com/Product#4836.

After reading git doc, I found something maybe useful.

git-upload-pack is the message what git server may receive when user pull or clone. In git doc, it mentioned git client will send have message to represent what client may have. In below example, have 085bb3bcb608e1e8451d4b2432f8ecbe6306e7e7 means git found commit 085bb3bcb608e1e8451d4b2432f8ecbe6306e7e7 in local repo when you pull.

below is the git doc, in section Downloading Data

At this point, the fetch-pack process looks at what objects it has and responds with the objects that it needs by sending “want” and then the SHA-1 it wants. It sends all the objects it already has with “have” and then the SHA-1. At the end of this list, it writes “done” to initiate the upload-pack process to begin sending the packfile of the data it needs:

003cwant ca82a6dff817ec66f44342007202690a93763949 ofs-delta
0032have 085bb3bcb608e1e8451d4b2432f8ecbe6306e7e7
0009done
0000

So I try git pull and git clone several times using http protocol, and analyze all requests, I think what I found is

  • if clone, the message will not contain have message
  • if pull/fetch in existing repo, the message will contain have message

below is clone, which no have message

0011command=fetch0014agent=git/2.38.10016object-format=sha10001000dthin-pack000dofs-delta0032want 81dc47d3858838afd6cb71627ede3f118ee49646
0032want 3f40479b55f3b35eaba567de9a3ba45146bbb2cb
0032want 81dc47d3858838afd6cb71627ede3f118ee49646
0032want 317485672b96e405a1a0d251941cf9d4f9b6e3fe
0009done
0000

below is fetch/pull, which contains have message

0011command=fetch0014agent=git/2.38.10016object-format=sha10001000dthin-pack000finclude-tag000dofs-delta0032want 3f40479b55f3b35eaba567de9a3ba45146bbb2cb
0032want 81dc47d3858838afd6cb71627ede3f118ee49646
0032have 82f229922e580381b768da407fcceea8fc521757
0032have 317485672b96e405a1a0d251941cf9d4f9b6e3fe
0000

So I think we need dig more into it, if what I found is correct, I think we can pass the info from gitaly to rails to generate clone event and pull/fetch event.

cc: @qianzhangxa

Edited by Kai Armstrong