Commit graph

32275 commits

Author SHA1 Message Date
Joey Hess
71d39caf5c
add security page with current and past security holes 2018-06-18 14:19:58 -04:00
Joey Hess
cc08135e65
prevent using local http proxies per annex.security.allowed-http-addresses
A local http proxy would bypass the security configuration. So,
the security configuration has to be applied when choosing whether to
use the proxy.

While http rebinding attacks against the dns lookup of the proxy IP
address seem very unlikely, this implementation does prevent them, since
it resolves the IP address once, checks it, and then reconfigures
http-client's proxy using the resolved address.

This commit was sponsored by Ole-Morten Duesund on Patreon.
2018-06-18 13:32:20 -04:00
anarcat
6d2616f86e some issues with anonymous pushes 2018-06-18 12:48:16 +00:00
anarcat
d889d9666d hashdeep integration 2018-06-18 12:45:32 +00:00
yves.noirjean@3f9b06d19a920fbf5c82340c362e5971b00d4af2
d8de48ddee Added a comment 2018-06-18 11:25:18 +00:00
Joey Hess
8703fdd3b7
add 2018-06-17 16:13:45 -04:00
Joey Hess
e62c4543c3
default to not using youtube-dl, for security
Pity, but same reasoning as curl applies to it.

This commit was sponsored by Peter on Patreon.
2018-06-17 14:51:02 -04:00
Joey Hess
563f2f5a81
missed a NEWS update in last commit 2018-06-17 13:56:17 -04:00
Joey Hess
b54b2cdc0e
prevent http connections to localhost and private ips by default
Security fix!

* git-annex will refuse to download content from http servers on
  localhost, or any private IP addresses, to prevent accidental
  exposure of internal data. This can be overridden with the
  annex.security.allowed-http-addresses setting.
* Since curl's interface does not have a way to prevent it from accessing
  localhost or private IP addresses, curl defaults to not being used
  for url downloads, even if annex.web-options enabled it before.
  Only when annex.security.allowed-http-addresses=all will curl be used.

Since S3 and WebDav use the Manager, the same policies apply to them too.

youtube-dl is not handled yet, and a http proxy configuration can bypass
these checks too. Those cases are still TBD.

This commit was sponsored by Jeff Goeke-Smith on Patreon.
2018-06-17 13:30:28 -04:00
Joey Hess
43bf219a3c
added makeAddressMatcher
Would be nice to add CIDR notation to this, but this is the minimal
thing needed for the security fix.

This commit was sponsored by Ewen McNeill on Patreon.
2018-06-17 13:29:15 -04:00
Joey Hess
014a3fef34
added isPrivateAddress and isLoopbackAddress
For use in a security boundary enforcement.

Based on https://en.wikipedia.org/wiki/Reserved_IP_addresses

Including supporting IPv4 addresses embedded in IPv6 addresses. Because
while RFC6052 3.1 says "Address translators MUST NOT translate packets
in which an address is composed of the Well-Known Prefix and a non-
global IPv4 address; they MUST drop these packets", I don't want to
trust that implementations get that right when enforcing a security
boundary.

This commit was sponsored by John Pellman on Patreon.
2018-06-17 13:28:25 -04:00
Joey Hess
40e8358284
add Utility.HttpManagerRestricted
This is a clean way to add IP address restrictions to http-client, and
any library using it.
See https://github.com/snoyberg/http-client/issues/354#issuecomment-397830259

Some code from http-client and http-client-tls was copied in and
modified. Credited its author accordingly, and used the same MIT license.

The restrictions don't apply to http proxies. If using http proxies is a
problem, http-client already has a way to disable them.
SOCKS support is not included. As far as I can tell, http-client-tls
does not support SOCKS by default, and so git-annex never has.

The additional dependencies are free; git-annex already transitively
depended on them via http-conduit.

This commit was sponsored by Eric Drechsel on Patreon.
2018-06-16 18:44:13 -04:00
Joey Hess
28720c795f
limit url downloads to whitelisted schemes
Security fix! Allowing any schemes, particularly file: and
possibly others like scp: allowed file exfiltration by anyone who had
write access to the git repository, since they could add an annexed file
using such an url, or using an url that redirected to such an url,
and wait for the victim to get it into their repository and send them a copy.

* Added annex.security.allowed-url-schemes setting, which defaults
  to only allowing http and https URLs. Note especially that file:/
  is no longer enabled by default.

* Removed annex.web-download-command, since its interface does not allow
  supporting annex.security.allowed-url-schemes across redirects.
  If you used this setting, you may want to instead use annex.web-options
  to pass options to curl.

With annex.web-download-command removed, nearly all url accesses in
git-annex are made via Utility.Url via http-client or curl. http-client
only supports http and https, so no problem there.
(Disabling one and not the other is not implemented.)

Used curl --proto to limit the allowed url schemes.

Note that this will cause git annex fsck --from web to mark files using
a disallowed url scheme as not being present in the web. That seems
acceptable; fsck --from web also does that when a web server is not available.

youtube-dl already disabled file: itself (probably for similar
reasons). The scheme check was also added to youtube-dl urls for
completeness, although that check won't catch any redirects it might
follow. But youtube-dl goes off and does its own thing with other
protocols anyway, so that's fine.

Special remotes that support other domain-specific url schemes are not
affected by this change. In the bittorrent remote, aria2c can still
download magnet: links. The download of the .torrent file is
otherwise now limited by annex.security.allowed-url-schemes.

This does not address any external special remotes that might download
an url themselves. Current thinking is all external special remotes will
need to be audited for this problem, although many of them will use
http libraries that only support http and not curl's menagarie.

The related problem of accessing private localhost and LAN urls is not
addressed by this commit.

This commit was sponsored by Brett Eisenberg on Patreon.
2018-06-16 11:57:50 -04:00
Joey Hess
b6ae4c0509
Merge branch 'master' of ssh://git-annex.branchable.com 2018-06-16 10:02:18 -04:00
Joey Hess
3f0d875b55
Include uname in standalone builds. 2018-06-16 10:02:05 -04:00
git-annex.branchable.com@07c0f8919010cc703ae7eea746d9b494c153291f
7a44c2c8ef removed 2018-06-16 09:49:19 +00:00
git-annex.branchable.com@07c0f8919010cc703ae7eea746d9b494c153291f
fc468eed88 Added a comment: this one is invalid 2018-06-16 09:48:53 +00:00
git-annex.branchable.com@07c0f8919010cc703ae7eea746d9b494c153291f
75c4c947d5 2018-06-16 09:14:38 +00:00
andrew@2e5aa03dfdc624af77a5957dd345d28430342a9c
785cb276f0 posted issue 2018-06-15 22:23:58 +00:00
Joey Hess
f886859174
remove broken link 2018-06-15 17:53:37 -04:00
Joey Hess
c8559a0403
close old bug 2018-06-15 14:44:32 -04:00
andrew
05cee8ada4 Added a comment 2018-06-15 15:59:04 +00:00
Joey Hess
e592635fe6
improve wording 2018-06-14 17:14:13 -04:00
Joey Hess
690bb303f9
more thoughts 2018-06-14 14:00:49 -04:00
Joey Hess
3f80aaea3d
some open questions 2018-06-14 13:42:25 -04:00
Joey Hess
466d3fbaab
more thoughts 2018-06-14 13:30:34 -04:00
Joey Hess
cc4b3b9c06
remove unused import 2018-06-14 12:33:00 -04:00
Joey Hess
391a83c985
remove unused value 2018-06-14 12:32:36 -04:00
Joey Hess
8b734da876
thoughts 2018-06-14 12:32:18 -04:00
Joey Hess
b6e4ed9aa7
export: re-send lost exported files after fsck notices they're gone
When content has been lost from an export remote and  git-annex fsck --from
remote has noticed it's gone, re-running git-annex export or git-annex sync
--content will re-upload it.

Note that normally there's no way to remove a single file from an export.
doc/design/exporting_trees_to_special_remotes.mdwn talks about this
in the section "dropping from exports and copying to exports". But, if
a file is somehow deleted or corrupted on the export, and fsck notices
this, it will update the location log to say it's missing.

So, checking the location log when determining if a file needs to be sent
to the export will let such missing files be added back in. There's
otherwise no way to do so. It does not fall afoul of the races documented
in the abovementioned section, I think.

This commit was sponsored by Ryan Newton on Patreon.
2018-06-14 12:22:12 -04:00
Joey Hess
4a3f1a15c5
improve indent 2018-06-14 11:40:23 -04:00
ghen1
1a0620fdf8 Added a comment 2018-06-13 17:18:49 +00:00
https://christian.amsuess.com/chrysn
c7dc4ee5c6 Added a comment: Update on using SAF 2018-06-13 14:57:10 +00:00
lykos@d125a37d89b1cfac20829f12911656c40cb70018
a439041e40 Added a comment 2018-06-13 10:46:25 +00:00
https://christian.amsuess.com/chrysn
93befcea96 Added a comment: Re: comment 5 2018-06-12 19:01:09 +00:00
Joey Hess
760f66829a
display p2pstdio stderr after auth
Display error messages that come from git-annex-shell when the p2p protocol
is used, so that diskreserve messages, IO errors, etc from the remote side
are visible again.

Felt like it should perhaps use outputError, so --json-error-messages would
include these, but as an async IO action, it can't, and this would need
MessageState to be converted to a tvar. Anyway, when not using p2pstdio,
that's not done; nor is it done for stderr from external special remotes
or other commands, so punted on the idea for now.

This commit was sponsored by mo on Patreon.
2018-06-12 14:59:05 -04:00
Joey Hess
90a3afb60f
adb: Android serial numbers are not all 16 characters long, so accept other lengths.
I can't find any documentation of how long it should be. Hard to imagine
it being shorter than 4 characters though, so put that in as a conservative
lower bound.

This commit was sponsored by Nick Piper on Patreon.
2018-06-12 13:56:01 -04:00
Joey Hess
98168e8f2e
Merge branch 'master' of ssh://git-annex.branchable.com 2018-06-12 12:55:41 -04:00
Joey Hess
b0492384bb
response 2018-06-12 12:54:29 -04:00
lykos@d125a37d89b1cfac20829f12911656c40cb70018
75e4e45bea 2018-06-12 16:46:40 +00:00
lykos@d125a37d89b1cfac20829f12911656c40cb70018
eca49304fe 2018-06-12 16:46:22 +00:00
Joey Hess
1694642969
document that multiple groupwanted are not combined 2018-06-12 12:44:53 -04:00
Joey Hess
e615357bdd
response 2018-06-12 12:16:18 -04:00
Rizwan
a9d271a616 Added a comment: Are these methods still working? 2018-06-12 14:58:03 +00:00
madapeedikakkaran@2c5c8bb4520ebf2526afb49c8dcbcb60fb295973
80917c2958 Added a comment: Termux Error 2018-06-12 11:54:02 +00:00
ghen1
0c5b4582a6 2018-06-11 03:29:06 +00:00
Joey Hess
e489b28bd7
Merge branch 'master' of ssh://git-annex.branchable.com 2018-06-08 12:03:53 -04:00
Joey Hess
c3c28f7617
add GETINFO to external protocol (for ronnypfa)
External special remotes can now add info to `git annex info $remote`, by
replying to the GETINFO message.

Had to generalize some helpers to allow consuming multiple messages from
the remote.

The code added to Remote/* here is AGPL licensed, thus changed the license
of the files.

This commit was sponsored by Jake Vosloo on Patreon.
2018-06-08 11:56:24 -04:00
yves.noirjean@3f9b06d19a920fbf5c82340c362e5971b00d4af2
2b45511bd5 Added a comment 2018-06-08 15:17:17 +00:00
yves.noirjean@3f9b06d19a920fbf5c82340c362e5971b00d4af2
8397151b2b 2018-06-08 13:03:20 +00:00