New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prohibit mirroring to internal repositories #621
Conversation
Motivation: We should prohibit mirroring to internal repositories which can cause a security incident. Modifcations: - Raise an exception if the `localRepo` of mirroring setting is one of `meta` and `dogma` which are internal repositories. Result: - You cannot setup mirroring to internal repositories anymore.
Codecov Report
@@ Coverage Diff @@
## master #621 +/- ##
============================================
+ Coverage 69.79% 69.91% +0.12%
- Complexity 3262 3276 +14
============================================
Files 331 331
Lines 12988 13020 +32
Branches 1396 1402 +6
============================================
+ Hits 9065 9103 +38
+ Misses 3062 3056 -6
Partials 861 861
Continue to review full report at Codecov.
|
| * is one of {@code meta} and {@code dogma} which are internal repositories. | ||
| */ | ||
| private void checkMirrorLocalRepo(Repository repository, Iterable<Change<?>> changes) { | ||
| // TODO(minwoox): Provide an internal API for mirroring setup with a better UI(?) and check this there. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| final Object content = change.content(); | ||
| if (content != null && content instanceof JsonNode) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change.content() seems always not null because of the previous filter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, fixed.
| @@ -177,6 +185,7 @@ private static String normalizePath(String path) { | |||
| Author author, | |||
| CommitMessageDto commitMessage, | |||
| @RequestConverter(ChangesRequestConverter.class) Iterable<Change<?>> changes) { | |||
| checkMirrorLocalRepo(repository, changes); | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we also need to deal with Thrift API?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's time to remove Thrift API?
Thanks let me add this there too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's time to remove Thrift API?
😆
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! @minwoox
|
Thanks for reviewing. |
Motivation:
We should prohibit mirroring to internal repositories which can cause a security incident.
Modification:
localRepoof mirroring setting is one ofmetaanddogmawhich are internal repositories.Result: