fix: record blocked fetches and enforce URL rules on store-and-forward path#198
Merged
Merged
Conversation
…d path Gap 1: `registerGitServlet` now wires `ParseGitRequestFilter` and `UrlRuleAggregateFilter` onto the `/push/` path. Previously, fetches via the store-and-forward endpoint bypassed URL allowlist checks entirely and were never written to `FetchStore`. Gap 2: `UrlRuleAggregateFilter.applyInfoRefsRules()` now calls `recordFetch(request, false)` for `Denied` and `NotAllowed` results when the effective operation is FETCH. Previously, blocked clones/fetches rejected at the `/info/refs` discovery phase were never recorded — since the upload-pack request never arrived, the existing `recordFetch` call there was never reached. closes #197 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes two distinct gaps in blocked-fetch recording identified in #197.
Gap 1 — store-and-forward fetch enforcement:
registerGitServletnow wiresParseGitRequestFilter+UrlRuleAggregateFilteronto the/push/path. Previously, git clone/fetch requests via the store-and-forward endpoint bypassed URL allowlist checks entirely and were never written toFetchStore. There are no JGit hooks for fetch operations (UploadPack is read-only), so the servlet filter layer is the correct place to enforce this.Gap 2 — info/refs phase recording:
UrlRuleAggregateFilter.applyInfoRefsRules()now callsrecordFetch(request, false)forDeniedandNotAllowedresults when the effective operation is FETCH. Previously, blocked clones/fetches rejected at the/info/refsdiscovery handshake were silently dropped — since the upload-pack request never arrived, the existingrecordFetchcall in the upload-pack branch was never reached.Test plan
UrlRuleFilterTest— four new unit tests covering:NotAllowedfetch on/info/refsrecords BLOCKED, deny-rule fetch on/info/refsrecords BLOCKED, push on/info/refsdoes NOT record fetch, allowed fetch on/info/refsdoes NOT record fetchtest-clone.shagainst a repo not in the allow list — blocked fetch should appear in the Repos page metricscloses #197