mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
git-annex/Command/LockContent.hs
Joey Hess 15be5c04a6
git-annex-shell, remotedaemon, git remote: Fix some memory DOS attacks. 
The attacker could just send a very lot of data, with no \n and it would
all be buffered in memory until the kernel killed git-annex or perhaps OOM
killed some other more valuable process.

This is a low impact security hole, only affecting communication between
local git-annex and git-annex-shell on the remote system. (With either
able to be the attacker). Only those with the right ssh key can do it. And,
there are probably lots of ways to construct git repositories that make git
use a lot of memory in various ways, which would have similar impact as
this attack.

The fix in P2P/IO.hs would have been higher impact, if it had made it to a
released version, since it would have allowed DOSing the tor hidden
service without needing to authenticate.

(The LockContent and NotifyChanges instances may not be really
exploitable; since the line is read and ignored, it probably gets read
lazily and does not end up staying buffered in memory.)
2016-12-09 13:34:32 -04:00

45 lines
1.1 KiB
Haskell
Raw Blame History

{- git-annex-shell command
-
- Copyright 2015 Joey Hess <id@joeyh.name>
-
- Licensed under the GNU GPL version 3 or higher.
-}
module Command.LockContent where
import Command
import Annex.Content
import Remote.Helper.Ssh (contentLockedMarker)
import Utility.SimpleProtocol
cmd :: Command
cmd = noCommit $
command "lockcontent" SectionPlumbing
"locks key's content in the annex, preventing it being dropped"
paramKey
(withParams seek)
seek :: CmdParams -> CommandSeek
seek = withWords start
-- First, lock the content. Then, make sure the content is actually
-- present, and print out "OK". Wait for the caller to send a line before
-- dropping the lock.
start :: [String] -> CommandStart
start [ks] = do
ok <- lockContentShared k (const locksuccess)
`catchNonAsync` (const $ return False)
liftIO $ if ok
then exitSuccess
else exitFailure
where
k = fromMaybe (giveup "bad key") (file2key ks)
locksuccess = ifM (inAnnex k)
( liftIO $ do
putStrLn contentLockedMarker
hFlush stdout
_ <- getProtocolLine stdin
return True
, return False
)
start _ = giveup "Specify exactly 1 key."
Reference in a new issue View git blame Copy permalink