git-annex-shell: block relay requests

connRepo is only used when relaying git upload-pack and receive-pack.
That's only supposed to be used when git-annex-remotedaemon is serving
git-remote-tor-annex connections over tor. But, it was always set, and
so could be used in other places possibly.

Fixed by making connRepo optional in the P2P protocol interface.

In Command.EnableTor, it's not needed, because it only speaks the
protocol in order to check that it's able to connect back to itself via
the hidden service. So changed that to pass Nothing rather than the git
repo.

In Remote.Helper.Ssh, it's connecting to git-annex-shell p2pstdio,
so is making the requests, so will never need connRepo.

In git-annex-shell p2pstdio, it was accepting git upload-pack and
receive-pack requests over the P2P protocol, even though nothing sent
them. This is arguably a security hole, particularly if the user has
set environment variables like GIT_ANNEX_SHELL_LIMITED to prevent
git push/pull via git-annex-shell.
This commit is contained in:
Joey Hess 2024-06-10 13:53:28 -04:00
parent 783eb8879a
commit 9a8391078a
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
8 changed files with 26 additions and 27 deletions

View file

@ -105,11 +105,10 @@ checkHiddenService = bracket setup cleanup go
check 0 _ = giveup "Still unable to connect to hidden service. It might not yet be usable by others. Please check Tor's logs for details."
check _ [] = giveup "Somehow didn't get an onion address."
check n addrs@(addr:_) = do
g <- Annex.gitRepo
check n addrs@(addr:_) =
-- Connect but don't bother trying to auth,
-- we just want to know if the tor circuit works.
liftIO (tryNonAsync $ connectPeer g addr) >>= \case
liftIO (tryNonAsync $ connectPeer Nothing addr) >>= \case
Left e -> do
warning $ UnquotedString $ "Unable to connect to hidden service. It may not yet have propagated to the Tor network. (" ++ show e ++ ") Will retry.."
liftIO $ threadDelaySeconds (Seconds 2)
@ -123,19 +122,18 @@ checkHiddenService = bracket setup cleanup go
-- service's socket, start a listener. This is only run during the
-- check, and it refuses all auth attempts.
startlistener = do
r <- Annex.gitRepo
u <- getUUID
msock <- torSocketFile
case msock of
Just sockfile -> ifM (liftIO $ haslistener sockfile)
( liftIO $ async $ return ()
, liftIO $ async $ runlistener sockfile u r
, liftIO $ async $ runlistener sockfile u
)
Nothing -> giveup "Could not find socket file in Tor configuration!"
runlistener sockfile u r = serveUnixSocket sockfile $ \h -> do
runlistener sockfile u = serveUnixSocket sockfile $ \h -> do
let conn = P2PConnection
{ connRepo = r
{ connRepo = Nothing
, connCheckAuth = const False
, connIhdl = h
, connOhdl = h