Re: Fetch/push lets a malicious server steal the targets of "have" lines

git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed

From: Matt McCutchen <matt@mattmccutchen.net>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org
Subject: Re: Fetch/push lets a malicious server steal the targets of "have" lines
Date: Fri, 28 Oct 2016 18:16:01 -0400	[thread overview]
Message-ID: <1477692961.2904.36.camel@mattmccutchen.net> (raw)
In-Reply-To: <xmqqmvhoxhfp.fsf@gitster.mtv.corp.google.com>

On Fri, 2016-10-28 at 15:00 -0700, Junio C Hamano wrote:
> Let me see if I understood your scenario correctly.
> 
> Suppose we start from this history where 'O' are common, your victim
> has a 'Y' branch with two commits that are private to it, as well as
> a 'X' branch on which it has X1 that it previously obtained from the
> server.  On the other hand, the server does not know about Y1 or Y2,
> and it added one commit X2 to the branch 'x' the victim is
> following:
> 
>            victim                server
> 
>              Y1---Y2               
>             /                      
>     ---O---O---X1           ---O---O---X1---X2
> 
> Then when victim wants to fetch 'x' from the server, it would say
> 
>     have X1, have Y2, have Y1, have O
> 
> and gets told to shut up by the server who heard enough.  The
> histories on these two parties will then become like this:
> 
> 
>            victim                server
> 
>              Y1---Y2               
>             /                      
>     ---O---O---X1---X2      ---O---O---X1---X2

Then the server generates a commit X3 that lists Y2 as a parent, even
though it doesn't have Y2, and advances 'x' to X3.  The victim fetches
'x':

           victim                  server

             Y1---Y2----                      (Y2)
            /           \                         \ 
    ---O---O---X1---X2---X3   ---O---O---X1---X2---X3

Then the server rolls back 'x' to X2:

           victim                  server

             Y1---Y2----
            /           \
    ---O---O---X1---X2---X3   ---O---O---X1---X2

And the victim pushes:

           victim                  server

             Y1---Y2----               Y1---Y2----
            /           \             /           \
    ---O---O---X1---X2---X3   ---O---O---X1---X2---X3

Now the server has the content of Y2.

If the victim is fetching and pulling a whole "directory" of refs, e.g:

fetch: refs/heads/*:refs/remotes/server1/*
push: refs/heads/for-server1/*:refs/heads/*

then instead of generating a merge commit, the server can just generate
another ref 'xx' pointing to Y2, assuming it can entice the victim to
set up a corresponding local branch refs/heads/for-server1/xx and push
it back.  Or if the victim is for some reason just mirroring back and
forth:

fetch: refs/heads/*:refs/heads/for-server1/*
push: refs/heads/for-
server1/*:refs/heads/*

then it doesn't have to set up a local branch as separate step.

Matt

next prev parent reply	other threads:[~2016-10-28 22:16 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-28 21:39 Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-28 22:00 ` Junio C Hamano
2016-10-28 22:16   ` Matt McCutchen [this message]
2016-10-29  1:11     ` Junio C Hamano
2016-10-29  3:33       ` Matt McCutchen
2016-10-29 13:39         ` Jeff King
2016-10-29 16:08           ` Matt McCutchen
2016-10-29 19:10             ` Jeff King
2016-10-30  7:53               ` Junio C Hamano
2016-11-13  1:25                 ` [PATCH] fetch/push: document that private data can be leaked Matt McCutchen
2016-11-14  2:57                   ` Junio C Hamano
2016-11-14 18:28                     ` Matt McCutchen
2016-11-14 18:20                       ` [PATCH] doc: mention transfer data leaks in more places Matt McCutchen
2016-11-14 19:19                         ` Junio C Hamano
2016-11-14 19:00                       ` [PATCH] fetch/push: document that private data can be leaked Junio C Hamano
2016-11-14 19:07                         ` Jeff King
2016-11-14 19:47                           ` Junio C Hamano
2016-11-14 19:08                         ` Matt McCutchen
     [not found]         ` <CAPc5daVOxmowdiTU3ScFv6c_BRVEJ+G92gx_AmmKnR-WxUKv-Q@mail.gmail.com>
2016-10-29 16:07           ` Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-30  8:03             ` Junio C Hamano
2016-11-13  2:10               ` Matt McCutchen
2016-10-29 17:38       ` Jon Loeliger
2016-10-30  8:16         ` Junio C Hamano
2016-11-13  2:44           ` Matt McCutchen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1477692961.2904.36.camel@mattmccutchen.net \
    --to=matt@mattmccutchen.net \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).