remote.name.annex-security-allow-unverified-downloads

Added remote.name.annex-security-allow-unverified-downloads, a per-remote
setting for annex.security.allow-unverified-downloads.

This commit was sponsored by Brock Spratlen on Patreon.

CHANGELOG

@@ -18,6 +18,8 @@ git-annex (6.20180914) UNRELEASED; urgency=medium
     supporting filenames containing newlines.
   * Added annex.maxextensionlength for use cases where extensions longer
     than 4 characters are needed.
+  * Added remote.name.annex-security-allow-unverified-downloads, a
+    per-remote setting for annex.security.allow-unverified-downloads.
   * More FreeBSD build fixes.
 
   [ Yaroslav Halchenko ]

Remote/External.hs

@@ -113,7 +113,7 @@ gen r u c gc
 			-- and have no protection against redirects to
 			-- local private web servers, or in some cases
 			-- to file:// urls.
-			, retrievalSecurityPolicy = RetrievalVerifiableKeysSecure
+			, retrievalSecurityPolicy = mkRetrievalVerifiableKeysSecure gc
 			, removeKey = removeKeyDummy
 			, lockContent = Nothing
 			, checkPresent = checkPresentDummy

Remote/Glacier.hs

@@ -59,7 +59,7 @@ gen r u c gc = new <$> remoteCost gc veryExpensiveRemoteCost
 			-- not support file://, as far as we know, but
 			-- there's no guarantee that will continue to be
 			-- the case, so require verifiable keys.
-			, retrievalSecurityPolicy = RetrievalVerifiableKeysSecure
+			, retrievalSecurityPolicy = mkRetrievalVerifiableKeysSecure gc
 			, removeKey = removeKeyDummy
 			, lockContent = Nothing
 			, checkPresent = checkPresentDummy

Remote/Helper/Special.hs

@@ -1,6 +1,6 @@
 {- helpers for special remotes
  -
- - Copyright 2011-2014 Joey Hess <id@joeyh.name>
+ - Copyright 2011-2018 Joey Hess <id@joeyh.name>
  -
  - Licensed under the GNU GPL version 3 or higher.
  -}
@@ -8,6 +8,7 @@
 module Remote.Helper.Special (
 	findSpecialRemotes,
 	gitConfigSpecialRemote,
+	mkRetrievalVerifiableKeysSecure,
 	Preparer,
 	Storer,
 	Retriever,
@@ -73,6 +74,15 @@ gitConfigSpecialRemote u c cfgs = do
   where
 	remotename = fromJust (M.lookup "name" c)
 
+-- RetrievalVerifiableKeysSecure unless overridden by git config.
+--
+-- Only looks at the RemoteGitConfig; the GitConfig's setting is
+-- checked at the same place the RetrievalSecurityPolicy is checked.
+mkRetrievalVerifiableKeysSecure :: RemoteGitConfig -> RetrievalSecurityPolicy
+mkRetrievalVerifiableKeysSecure gc
+	| remoteAnnexAllowUnverifiedDownloads gc = RetrievalAllKeysSecure
+	| otherwise = RetrievalVerifiableKeysSecure
+
 -- Use when nothing needs to be done to prepare a helper.
 simplyPrepare :: helper -> Preparer helper
 simplyPrepare helper _ a = a $ Just helper
@@ -168,7 +178,7 @@ specialRemote' cfg c preparestorer prepareretriever prepareremover preparecheckp
 		-- into the git-annex repository. Verifiable keys
 		-- are the main protection against this attack.
 		, retrievalSecurityPolicy = if isencrypted
-			then RetrievalVerifiableKeysSecure
+			then mkRetrievalVerifiableKeysSecure (gitconfig baser)
 			else retrievalSecurityPolicy baser
 		, removeKey = \k -> cip >>= removeKeyGen k
 		, checkPresent = \k -> cip >>= checkPresentGen k

Remote/Hook.hs

@@ -51,7 +51,7 @@ gen r u c gc = do
 			, retrieveKeyFileCheap = retrieveCheap hooktype
 			-- A hook could use http and be vulnerable to
 			-- redirect to file:// attacks, etc.
-			, retrievalSecurityPolicy = RetrievalVerifiableKeysSecure
+			, retrievalSecurityPolicy = mkRetrievalVerifiableKeysSecure gc
 			, removeKey = removeKeyDummy
 			, lockContent = Nothing
 			, checkPresent = checkPresentDummy

Types/GitConfig.hs

@@ -234,6 +234,7 @@ data RemoteGitConfig = RemoteGitConfig
 	, remoteAnnexBare :: Maybe Bool
 	, remoteAnnexRetry :: Maybe Integer
 	, remoteAnnexRetryDelay :: Maybe Seconds
+	, remoteAnnexAllowUnverifiedDownloads :: Bool
 
 	{- These settings are specific to particular types of remotes
 	 - including special remotes. -}
@@ -291,6 +292,8 @@ extractRemoteGitConfig r remotename = do
 		, remoteAnnexRetry = getmayberead "retry"
 		, remoteAnnexRetryDelay = Seconds
 			<$> getmayberead "retrydelay"
+		, remoteAnnexAllowUnverifiedDownloads = (== Just "ACKTHPPT") $
+			getmaybe ("security-allow-unverified-downloads")
 		, remoteAnnexShell = getmaybe "shell"
 		, remoteAnnexSshOptions = getoptions "ssh-options"
 		, remoteAnnexRsyncOptions = getoptions "rsync-options"

doc/git-annex.mdwn

@@ -1450,7 +1450,7 @@ Here are all the supported configuration settings.
   these IP address restrictions to be enforced, curl and youtube-dl will
   never be used unless annex.security.allowed-http-addresses=all.
 
-* `annex.security.allow-unverified-downloads`, 
+* `annex.security.allow-unverified-downloads`
 
   For security reasons, git-annex refuses to download content from
   most special remotes when it cannot check a hash to verify 
@@ -1487,6 +1487,10 @@ Here are all the supported configuration settings.
   It would be a good idea to check that it downloaded the file you expected,
   too.
 
+* `remote.name.annex-security-allow-unverified-downloads`
+
+  Per-remote configuration of annex.security.allow-unverified-downloads.
+
 * `annex.secure-erase-command`
 
   This can be set to a command that should be run whenever git-annex

doc/todo/better_exceptions_to_annex.security.allow-unverified-downloads.mdwn

@@ -3,3 +3,5 @@ Sometimes I _know_ that a given external special remote doesn't do redirects, or
 git -c annex.security.allow-unverified-downloads=ACKTHPPT annex get myfile
 every time is another thing to think about, when the whole point of git-annex is to not have to think about where things are :)  While configuring 
 annex.security.allow-unverified-downloads=ACKTHPPT permanently opens security holes.
+
+> [[done]] --[[Joey]]