Commit graph

87 commits

Author SHA1 Message Date
Joey Hess
15be5c04a6
git-annex-shell, remotedaemon, git remote: Fix some memory DOS attacks.
The attacker could just send a very lot of data, with no \n and it would
all be buffered in memory until the kernel killed git-annex or perhaps OOM
killed some other more valuable process.

This is a low impact security hole, only affecting communication between
local git-annex and git-annex-shell on the remote system. (With either
able to be the attacker). Only those with the right ssh key can do it. And,
there are probably lots of ways to construct git repositories that make git
use a lot of memory in various ways, which would have similar impact as
this attack.

The fix in P2P/IO.hs would have been higher impact, if it had made it to a
released version, since it would have allowed DOSing the tor hidden
service without needing to authenticate.

(The LockContent and NotifyChanges instances may not be really
exploitable; since the line is read and ignored, it probably gets read
lazily and does not end up staying buffered in memory.)
2016-12-09 13:34:32 -04:00
Joey Hess
bdf2a31424
typo 2016-12-09 12:54:12 -04:00
Joey Hess
71e8cd408e
content removal is supposed to succed if the content was already not present 2016-12-09 12:48:22 -04:00
Joey Hess
38516b2fca
update progress logs in remotedaemon send/receive 2016-12-08 19:56:02 -04:00
Joey Hess
0f4ee4f298
fix memory leak
I'm unsure why this fixed it, but it did. Seems to suggest that the
memory leak is not due to a bug in my code, but that ghc didn't manage
to take full advantage of laziness, or was failing to gc something it
could have.
2016-12-08 18:42:52 -04:00
Joey Hess
af41519126
convert P2P runners from Maybe to Either String
So we get some useful error messages when things fail.

This commit was sponsored by Peter Hogg on Patreon.
2016-12-08 15:47:49 -04:00
Joey Hess
c05f4eb631
fix laziness problem in git relaying
The switch to hGetMetered subtly changed the laziness of how DATA was
read, and broke git protocol relaying. Fix by sending received data to
the git process's stdin immediately, which ensures that the lazy
bytestring is all read from the peer before going on to process the next
message from the peer.
2016-12-08 15:15:29 -04:00
Joey Hess
df67626cb7
fix build with old ghc 2016-12-08 13:58:03 -04:00
Joey Hess
0541f19bea
fix math error that caused resumes to always fail 2016-12-07 15:36:39 -04:00
Joey Hess
db79b69aa0
ReadWriteMode not AppendMode
AppendMode does not allow seeking..
2016-12-07 15:24:28 -04:00
Joey Hess
99c36f318c
open file for append, not write, so resuming works
WriteMode zeros any existing content, so the seek filled with zeros, and
verification failed after download.
2016-12-07 15:06:07 -04:00
Joey Hess
b55399e3ac
offset meters when resuming 2016-12-07 14:52:10 -04:00
Joey Hess
ad5ef51040
more p2p progress meters
Display progress meter on send and receive from remote.

Added a new hGetMetered that can read an exact number of bytes (or
less), updating a meter as it goes.

This commit was sponsored by Andreas on Patreon.
2016-12-07 14:25:01 -04:00
Joey Hess
83ea1cec86
update progress meter when sending to p2p remote
This commit was sponsored by Thom May on Patreon.
2016-12-07 13:37:35 -04:00
Joey Hess
bb5168e894
need to auth with the peer 2016-12-06 15:50:02 -04:00
Joey Hess
f744bd5391
refactor 2016-12-06 15:43:03 -04:00
Joey Hess
2bd2e0880c
added StoreContentTo
This is needed in addition to StoreContent, because retrieveKeyFile can
be used to retrieve to different destination files, not only the tmp
file for a key.

This commit was sponsored by Ole-Morten Duesund on Patreon.
2016-12-06 15:05:44 -04:00
Joey Hess
b29088b8dc
stub Remote.P2P
Similar to GCrypt remotes, P2P remotes have an url, so Remote.Git has to
separate them out and handle them, passing off to Remote.P2P.

This commit was sponsored by Ignacio on Patreon.
2016-12-06 12:27:58 -04:00
Joey Hess
a8c868c2e1
plumb assicated files through P2P protocol for updating transfer logs
ReadContent can't update the log, since it reads lazily. This part of
the P2P monad will need to be rethought.

Associated files are heavily sanitized when received from a peer;
they could be an exploit vector.

This commit was sponsored by Jochen Bartl on Patreon.
2016-12-02 16:42:54 -04:00
Joey Hess
b16a1cee4b
plumb peer uuid through to runLocal
This will allow updating transfer logs with the uuid.
2016-12-02 15:39:49 -04:00
Joey Hess
71ddb10699
initial implementation of P2P.Annex runner
Untested, and it does not yet update transfer logs.

Verifying transferred content is modeled on git-annex-shell recvkey.
In a direct mode or annex.thin repository, content can change while it's
being transferred. So, verification is always done, even if annex.verify
would normally prevent it.

Note that a WORM or URL key could change in a way the verification
doesn't catch. That can happen in git-annex-shell recvkey too. We don't
worry about it, because those key backends don't guarantee preservation
of data. (Which is to say, I worried about it, and then convinced myself
again it was ok.)
2016-12-02 14:54:33 -04:00
Joey Hess
c29f2e262a
catch non-IO exceptions too 2016-12-02 14:16:50 -04:00
Joey Hess
881274d021
make remote-daemon able to send and receive objects over tor
Each worker thread needs to run in the Annex monad, but the
remote-daemon's liftAnnex can only run 1 action at a time. Used
Annex.Concurrent to deal with that.

P2P.Annex is incomplete as of yet.
2016-12-02 13:52:43 -04:00
Joey Hess
7b7afbbedc
improve Local monad 2016-12-02 13:47:42 -04:00
Joey Hess
15dc63d47f
make sure that the specified number of bytes of DATA are always sent
It's possible, in direct or thin mode, that an object file gets
truncated or appended to as it's being sent. This would break the
protocol badly, so make sure never to send too many bytes, and to
close the protocol connection if too few bytes are available.
2016-12-02 13:45:45 -04:00
Joey Hess
3dce6a080e
cleanups 2016-12-01 00:42:01 -04:00
Joey Hess
94dad1e979
more flexible types for Proto runners
This will allow a runner in the Annex monad.
2016-12-01 00:27:07 -04:00
Joey Hess
00f48ac407
better comments 2016-11-30 23:54:00 -04:00
Joey Hess
e714e0f67a
actually check p2p authtokens for tor connections
This commit was sponsored by Ethan Aubin.
2016-11-30 16:46:02 -04:00
Joey Hess
b88e44ea9a
use P2P auth for git-remote-tor-annex
This changes the environment variable name to the more generic
GIT_ANNEX_P2P_AUTHTOKEN.

This commit was sponsored by andrea rota.
2016-11-30 15:26:55 -04:00
Joey Hess
3ab12ba923
implement p2p --link
This commit was sponsored by Riku Voipio.
2016-11-30 15:16:25 -04:00
Joey Hess
bfc8305814
implement p2p command 2016-11-30 14:35:24 -04:00
Joey Hess
f86a7f673c
comments 2016-11-29 17:33:49 -04:00
Joey Hess
38425fdc39
finish git-annex enable-tor
Make it stash the address away for git-annex p2p to use later, rather
than outputting it. And, look up the UUID itself.
2016-11-29 17:30:27 -04:00
Joey Hess
3ed8895a09
fix build 2016-11-24 16:36:16 -04:00
Joey Hess
158ef45d76
add P2P.Auth 2016-11-22 14:37:50 -04:00
Joey Hess
b08799893f
reorg 2016-11-22 14:37:09 -04:00