git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: Jeff Hostetler <git@jeffhostetler.com>
To: Josh Steadmon <steadmon@google.com>,
	Junio C Hamano <gitster@pobox.com>,
	git@vger.kernel.org
Subject: Re: [PATCH v2 07/11] transport: log received server trace2 SID
Date: Thu, 12 Nov 2020 16:30:44 -0500	[thread overview]
Message-ID: <1a60fdab-a203-56d0-8dcd-43f88c29d3ff@jeffhostetler.com> (raw)
In-Reply-To: <20201111225318.GG36751@google.com>



On 11/11/20 5:53 PM, Josh Steadmon wrote:
> On 2020.11.04 13:14, Junio C Hamano wrote:
>> Josh Steadmon <steadmon@google.com> writes:
>>
>>> When a client receives a trace2-sid capability from a protocol v0, v1,
>>> or v2 server, log the received session ID via a trace2 data event.
>>
>> Would this pose a new security threat surface?  Just wondering if we
>> want to ignore the capability if it is not enabled on our end with
>> the configuration.
>>
>> Thanks.
> 
> As Jeff pointed out, the json-writer handles string escapes, so I don't
> think we could cause any trouble with the trace2 "event" target. The
> "normal" target ignores data events, so this would not show up in a
> normal trace2 log. The "perf" target doesn't seem to do any escaping,
> but it's intended to be human readable rather than parseable, so I'm not
> sure if we need to worry there. Jeff, any thoughts?
> 

Only the "event" target prints the SID and it is JSON quoted there.

Neither the "perf" nor "normal" target print them.  The "perf" target
does print the SID "depth" parameter (which is the number of slashes
in the complete SID).

My earlier concerns were about whitespace, CL/LF and other
non-printables in the wire protocol and etc.

Jeff


  reply	other threads:[~2020-11-12 21:30 UTC|newest]

Thread overview: 66+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-29 21:32 [PATCH 00/10] Advertise trace2 SID in protocol capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 01/10] docs: new capability to advertise trace2 SIDs Josh Steadmon
2020-10-29 21:32 ` [PATCH 02/10] docs: new trace2.advertiseSID option Josh Steadmon
2020-10-29 21:32 ` [PATCH 03/10] upload-pack: advertise trace2 SID in v0 capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 04/10] receive-pack: " Josh Steadmon
2020-10-29 21:32 ` [PATCH 05/10] serve: advertise trace2 SID in v2 capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 06/10] transport: log received server trace2 SID Josh Steadmon
2020-10-29 21:32 ` [PATCH 07/10] fetch-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 08/10] upload-pack, serve: log received client trace2 SID Josh Steadmon
2020-10-29 21:32 ` [PATCH 09/10] send-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-10-29 21:32 ` [PATCH 10/10] receive-pack: log received client trace2 SID Josh Steadmon
2020-10-30 15:54 ` [PATCH 00/10] Advertise trace2 SID in protocol capabilities Jeff Hostetler
2020-11-02 22:20   ` Josh Steadmon
2020-11-03 21:22     ` Junio C Hamano
2020-11-05 21:01       ` Jeff Hostetler
2020-11-10 21:37       ` Josh Steadmon
2020-10-30 22:31 ` Junio C Hamano
2020-11-02 22:30 ` [PATCH v2 00/11] " Josh Steadmon
2020-11-02 22:30   ` [PATCH v2 01/11] docs: new capability to advertise trace2 SIDs Josh Steadmon
2020-11-03 21:33     ` Junio C Hamano
2020-11-05 21:00       ` Jeff Hostetler
2020-11-12 14:05         ` Ævar Arnfjörð Bjarmason
2020-11-12 17:32           ` Junio C Hamano
2020-11-12 22:10             ` Jeff Hostetler
2020-11-11 22:40       ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 02/11] docs: new trace2.advertiseSID option Josh Steadmon
2020-11-03 21:42     ` Junio C Hamano
2020-11-05 19:28       ` Josh Steadmon
2020-11-05 21:24         ` Junio C Hamano
2020-11-06 11:57           ` Johannes Schindelin
2020-11-02 22:31   ` [PATCH v2 03/11] trace2: add a public function for getting the SID Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 04/11] upload-pack: advertise trace2 SID in v0 capabilities Josh Steadmon
2020-11-03 21:48     ` Junio C Hamano
2020-11-05 18:44       ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 05/11] receive-pack: " Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 06/11] serve: advertise trace2 SID in v2 capabilities Josh Steadmon
2020-11-04 21:11     ` Junio C Hamano
2020-11-02 22:31   ` [PATCH v2 07/11] transport: log received server trace2 SID Josh Steadmon
2020-11-04 21:14     ` Junio C Hamano
2020-11-11 22:53       ` Josh Steadmon
2020-11-12 21:30         ` Jeff Hostetler [this message]
2020-11-02 22:31   ` [PATCH v2 08/11] fetch-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-11-04 21:22     ` Junio C Hamano
2020-11-05 18:58       ` Josh Steadmon
2020-11-05 19:21         ` Junio C Hamano
2020-11-11 23:32           ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 09/11] upload-pack, serve: log received client trace2 SID Josh Steadmon
2020-11-04 21:26     ` Junio C Hamano
2020-11-05 19:12       ` Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 10/11] send-pack: advertise trace2 SID in capabilities Josh Steadmon
2020-11-02 22:31   ` [PATCH v2 11/11] receive-pack: log received client trace2 SID Josh Steadmon
2020-11-03  1:02   ` [PATCH v2 00/11] Advertise trace2 SID in protocol capabilities Junio C Hamano
2020-11-11 23:29 ` [PATCH v3 00/11] Advertise session ID " Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 01/11] docs: new capability to advertise session IDs Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 02/11] docs: new transfer.advertiseSID option Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 03/11] trace2: add a public function for getting the SID Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 04/11] upload-pack: advertise session ID in v0 capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 05/11] receive-pack: " Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 06/11] serve: advertise session ID in v2 capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 07/11] transport: log received server session ID Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 08/11] fetch-pack: advertise session ID in capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 09/11] upload-pack, serve: log received client session ID Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 10/11] send-pack: advertise session ID in capabilities Josh Steadmon
2020-11-11 23:29   ` [PATCH v3 11/11] receive-pack: log received client session ID Josh Steadmon
2020-11-25 22:08   ` [PATCH v3 00/11] Advertise session ID in protocol capabilities Junio C Hamano
2020-11-25 22:56     ` Josh Steadmon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1a60fdab-a203-56d0-8dcd-43f88c29d3ff@jeffhostetler.com \
    --to=git@jeffhostetler.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=steadmon@google.com \
    --subject='Re: [PATCH v2 07/11] transport: log received server trace2 SID' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

git@vger.kernel.org list mirror (unofficial, one of many)

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 git git/ https://public-inbox.org/git \
		git@vger.kernel.org
	public-inbox-index git

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://7fh6tueqddpjyxjmgtdiueylzoqt6pt7hec3pukyptlmohoowvhde4yd.onion/inbox.comp.version-control.git
	nntp://ie5yzdi7fg72h7s4sdcztq5evakq23rdt33mfyfcddc5u3ndnw24ogqd.onion/inbox.comp.version-control.git
	nntp://4uok3hntl7oi7b4uf4rtfwefqeexfzil2w6kgk2jn5z2f764irre7byd.onion/inbox.comp.version-control.git
	nntp://news.gmane.io/gmane.comp.version-control.git
 note: .onion URLs require Tor: https://www.torproject.org/

code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git