Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
prevent access to repos which are in the process of bring migrated
Björn Kautler pointed out that, when a repo is being migrated into
gitolite as per the documentation [1], there is a gap between the actual
move of the repo and the rest of the process where a user can gain read
or write access to the repo, which he would *not* have had after the
completion of the process.

My first thought was to document this, and advise people to use the
'writable' command to disable writes, but there is nothing as simple and
painless to prevent reads.  (On the plus side, this kind of racy read
access can only happen if the conf is using the "deny-rules" option to
restrict reads; without that, it makes no difference -- i.e., he gets no
access that he would not have got later anyway).

But eventually I realised that documentation was frustrating, for
various reasons, and that at least in this case there is a way to fix it
in the code -- just block all access to a repo that is in
~/repositories, but which does not yet have the update hook setup
correctly.  Plus, the code does not impact anything else, and is
basically just an extra check.

[1]: http://gitolite.com/gitolite/basic-admin/index.html#appendix-1-bringing-existing-repos-into-gitolite
  • Loading branch information
sitaramc committed Sep 8, 2018
1 parent 91ce361 commit dc13dfc
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 2 deletions.
7 changes: 7 additions & 0 deletions src/gitolite-shell
Expand Up @@ -113,6 +113,13 @@ sub main {
$ENV{GL_REPO} = $repo;
my $aa = ( $verb =~ 'upload' ? 'R' : 'W' );

# catch rare race when moving repos into gitolite control
_die "$aa any $repo $user DENIED by fallthru" .
"\n(or you mis-spelled the reponame)"
unless update_hook_present($repo);
# this error message is exactly the same as that from elsewhere in the
# code, for the usual reasons (avoid leaking information)

# set up env vars from options set for this repo
env_options($repo);

Expand Down
20 changes: 18 additions & 2 deletions src/lib/Gitolite/Common.pm
Expand Up @@ -19,6 +19,8 @@ package Gitolite::Common;
ssh_fingerprint_file
ssh_fingerprint_line
update_hook_present
);
#>>>
use Exporter 'import';
Expand Down Expand Up @@ -235,14 +237,28 @@ sub cleanup_conf_line {
chomp($repo);
$repo =~ s/\.git$//;
$repo =~ s(^\./)();
push @phy_repos, $repo unless $repo =~ m(/$);
# tolerate bare repos within ~/repositories but silently ignore them
next if $repo =~ m(/$);
# tolerate non-bare repos within ~/repositories but silently ignore them
next unless update_hook_present($repo);
# ignore repos that don't yet have the update hook
push @phy_repos, $repo;
}
trace( 3, scalar(@phy_repos) . " physical repos found" );
return sort_u( \@phy_repos );
}
}
sub update_hook_present {
my $repo = shift;
return 1 unless -d "$ENV{GL_REPO_BASE}/$repo.git"; # non-existent repo is fine
my $x = readlink("$ENV{GL_REPO_BASE}/$repo.git/hooks/update");
return 1 if $x and $x eq "$ENV{GL_ADMIN_BASE}/hooks/common/update";
return 0;
}
# generate a timestamp
sub gen_ts {
my ( $s, $min, $h, $d, $m, $y ) = (localtime)[ 0 .. 5 ];
Expand Down

0 comments on commit dc13dfc

Please sign in to comment.