From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS31976 209.132.180.0/23 X-Spam-Status: No, score=-3.9 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by dcvr.yhbt.net (Postfix) with ESMTP id 426591F619 for ; Thu, 12 Mar 2020 04:16:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727021AbgCLEQJ (ORCPT ); Thu, 12 Mar 2020 00:16:09 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:34135 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726377AbgCLEQJ (ORCPT ); Thu, 12 Mar 2020 00:16:09 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 17EA321F48 for ; Thu, 12 Mar 2020 00:16:08 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Thu, 12 Mar 2020 00:16:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jramsay.com.au; h=from:to:subject:date:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=mesmtp; bh=3JtBMOVBTv2UbX3AQXePzOOrvOTalOg6dkZ6YNvk3pI=; b=inck9jzP5kHJ KdFiyqDTN+TglDGubOY1ed3uIGsi9bL2XP+NMf7CVuYxDZSvD+ioVgjwdo1d6xOo /TmYDXjZu1keBnrNpUPkjkYbHNpB6BvUsOAmFClHc+ETvrz26cO6IL33f30jzuba /m4d6fvONcKsvCT4CmET+ZmvxmFaSE8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=3JtBMOVBTv2UbX3AQXePzOOrvOTalOg6dkZ6YNvk3 pI=; b=O1JKWXFwVAjSODvv8JS4mEWUPCEebknuOo+IECSaryBy7+boypXu+VMtP nvNyGB8jYFxQVLycHvYzUI3SsXOniXwHJM21CKEP3vVicfFGXc7CJY+FWrTjm3l8 1eOfzlAyrvoc5/FDdC7GZCD68mmySjtG5rukVwRV5/lg44zA6LkEtJwF+QMI7mWU BkBuBUHUf3noJ519D9wTjYYF9YUywoFiMeZDCuG4DmcKk6i/XZPArZKBBqYWC7Bu TPbLvmZBXU4lTqBuqRIcAxgU/l4VWSzuI1FcMEdx4ZNORRPoK/7AJPVTOFknM5Kk vJgaigRuBO1CKS5ca8Ki0tb3ECClA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvgedgkedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffokfgjfhggtgfgsehtke hmtdertdejnecuhfhrohhmpedflfgrmhgvshcutfgrmhhsrgihfdcuoehjrghmvghssehj rhgrmhhsrgihrdgtohhmrdgruheqnecukfhppeduvddurddvtddtrdeirdduuddtnecuve hluhhsthgvrhfuihiivgepvdenucfrrghrrghmpehmrghilhhfrhhomhepjhgrmhgvshes jhhrrghmshgrhidrtghomhdrrghu X-ME-Proxy: Received: from [192.168.1.38] (121-200-6-110.79c806.syd.nbn.aussiebb.net [121.200.6.110]) by mail.messagingengine.com (Postfix) with ESMTPA id 47C2F328005D for ; Thu, 12 Mar 2020 00:16:06 -0400 (EDT) From: "James Ramsay" To: git@vger.kernel.org Subject: [TOPIC 17/17] Security Date: Thu, 12 Mar 2020 15:16:04 +1100 X-Mailer: MailMate (1.13.1r5671) Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org 1. Demtr: what are people doing to prevent security issues? For example, not allowing things into trees that would be problematic for various filesystems. 2. Jonathan N: transfer fsck objects by default, to validate at the trust boundary (in case some code paths at use time are missing some validation) 3. Peff: we have had buffer overflows, most are logic errors, and mostly paths related. Recently we’ve tightened up which paths are allowed. Forbidding things that might be valid on Linux, but problems on Windows. Can’t catch everything though, because Windows is so so complex 4. Stolee: I am fearful, and do not know all the rules. 5. Peff: I don’t think it is possible. 6. Demetr: only latin chars, numbers and a few other characters. Do not allow any special symbols. 7. Brian: that’s going to break lots of existing projects. Some projects have never been on Windows, and therefore people have no concern about Windows. People checking files that are strange to deliberately test strange files in their own software. If Windows has an API to test filepath, there is not much we can do to protect it. Compatibility is important. 8. Peff: probably some cleanup needed, maybe can’t clone git.git. Some paths that are innocuous, are a problem in strange situations. 9. Jonathan N: what in Git's design scares the crap out of you? 10. ZJ: GitLab shells out for everything. We had injections. Now we have a DSL to verify things. Looking at --end-of-options. 11. Peff: C is terrifying. Rust rewrite please. Still have integer overflow risks. Tried to deal with it a few years ago, and found some more a few months back. A happy story: OID array uses signed integer, because no-one has more than 2billion objects. Someone had 3billion objects. Just the SHA1s are 60GB. Found it because it triggered overflow in st_add. As soon as they wrapped around, it crashed, preventing under allocation 12. Jeff H: communication between processes 13. 14. Peff: I feel good about where we read and write strings to each other. Maybe if we were using JSON encode/decode it might be easier to handle obscure cases