Age | Commit message (Collapse) | Author |
|
|
|
[ci skip]
|
|
[ci skip]
|
|
git: Upgrade to Git security release v2.38.4.gl1 and v2.37.6.gl1 (v15.6 backport)
See merge request https://gitlab.com/gitlab-org/security/gitaly/-/merge_requests/80
Merged-by: Reuben Pereira <2967854-rpereira2@users.noreply.gitlab.com>
Approved-by: Christian Couder <chriscool@tuxfamily.org>
Approved-by: karthik nayak <knayak@gitlab.com>
Co-authored-by: Patrick Steinhardt <psteinhardt@gitlab.com>
|
|
Upgrade our Git version to v2.38.4.gl1 and v2.37.6.gl1, which pull in
the security release Git v2.38.4 and v2.37.6.gl1 that address the
following CVEs:
- CVE-2023-22490:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link. These two may be
combined to include arbitrary files based on known paths on the
victim's filesystem within the malicious repository's working copy,
allowing for data exfiltration in a similar manner as CVE-2022-39253.
- CVE-2023-23946:
By feeding a crafted input to "git apply", a path outside the working
tree can be overwritten as the user who is running "git apply".
Changelog: security
|
|
Typically, we have up to three different Git versions in Gitaly:
- Two bundled Git versions that can be toggled with a feature flag.
- The distributed Git version.
The distributed Git version will always be matching one of the bundled
Git versions, namely the one that is the current default. So let's
deduplicate these versions and just reuse the bundled Git's version so
that we don't need to remember updating the version in multiple places
on minor version bumps.
|
|
|
|
[ci skip]
|
|
[ci skip]
|
|
|
|
[ci skip]
|
|
[ci skip]
|
|
[ci skip]
|
|
[ci skip]
|
|
ci: Run pipeline on merge commits to stable branches [15.6]
See merge request https://gitlab.com/gitlab-org/security/gitaly/-/merge_requests/75
Merged-by: Alessio Caiazza <acaiazza@gitlab.com>
Approved-by: Patrick Steinhardt <psteinhardt@gitlab.com>
Approved-by: Alessio Caiazza <acaiazza@gitlab.com>
Co-authored-by: James Fargher <proglottis@gmail.com>
|
|
ci: Run pipeline on merge commits to stable branches
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5246
Merged-by: James Fargher <proglottis@gmail.com>
Approved-by: Justin Tobler <jtobler@gitlab.com>
Approved-by: James Fargher <proglottis@gmail.com>
Reviewed-by: Justin Tobler <jtobler@gitlab.com>
Co-authored-by: Steve Abrams <sabrams@gitlab.com>
(cherry picked from commit 4e47b5b3766375c6ac7a94cee742c9e9acca39b1)
|
|
Makefile: Upgrade Git to address out-of-bounds reads and writes (v15.6 backport)
See merge request https://gitlab.com/gitlab-org/security/gitaly/-/merge_requests/71
Merged-by: Reuben Pereira <2967854-rpereira2@users.noreply.gitlab.com>
Approved-by: Toon Claes <toon@gitlab.com>
Approved-by: Christian Couder <chriscool@tuxfamily.org>
Co-authored-by: Patrick Steinhardt <psteinhardt@gitlab.com>
|
|
|
|
[ci skip]
|
|
[ci skip]
|
|
The Git project has published security releases for two different CVEs:
* CVE-2022-41903:
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(, %>(,
%>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
* CVE-2022-23521:
gitattributes are a mechanism to allow defining attributes for
paths. These attributes can be defined by adding a `.gitattributes`
file to the repository, which contains a set of file patterns and
the attributes that should be set for paths matching this pattern.
When parsing gitattributes, multiple integer overflows can occur
when there is a huge number of path patterns, a huge number of
attributes for a single pattern, or when the declared attribute
names are huge.
These overflows can be triggered via a crafted `.gitattributes` file
that may be part of the commit history. Git silently splits lines
longer than 2KB when parsing gitattributes from a file, but not when
parsing them from the index. Consequentially, the failure mode
depends on whether the file exists in the working tree, the index or
both.
This integer overflow can result in arbitrary heap reads and writes,
which may result in remote code execution.
Upgrade Git to v2.37.5 and v2.38.3 to address these CVEs.
Changelog: security
|
|
Backport 9e89531e to 15-6: Allow empty values for Git configuration
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5229
Merged-by: Quang-Minh Nguyen <qmnguyen@gitlab.com>
Approved-by: Patrick Steinhardt <psteinhardt@gitlab.com>
Co-authored-by: Patrick Steinhardt <psteinhardt@gitlab.com>
|
|
The validity checks for our Git configuration is too strict as it does
not allow for empty values. This breaks some valid usecases, like for
example when an administrator wants to unset specific keys.
Drop the check for empty values and accept such keys. We have already
asserted in the preceding commit that Git handles such Git configuration
just fine.
Changelog: fixed
|
|
[ci skip]
|
|
[ci skip]
|
|
Makefile: Upgrade Git to v2.35.4.gl1 and v2.37.4.gl1 (v15.6 backport)
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5189
Merged-by: Quang-Minh Nguyen <qmnguyen@gitlab.com>
Approved-by: karthik nayak <knayak@gitlab.com>
Approved-by: Quang-Minh Nguyen <qmnguyen@gitlab.com>
Co-authored-by: Patrick Steinhardt <psteinhardt@gitlab.com>
|
|
Git has recently created the bugfix release v2.38.2. This commit
upgrades the Git version used by Gitaly to pull in Git v2.38.2.gl1,
which contains all bugfixes of Git v2.38.2. Furthermore, we have
backported a bunch of patches to fix performance issues when pushing
into repostiories with loads of references. These backported changes
have been released as part of Git v2.39.0 already.
While at it, also bump the Git v2.37 release series to use v2.37.4.gl1.
This includes bugfixes as well as fixes for CVEs that don't apply in the
context of Gitaly. Note that the naming of the `GIT_VERSION_2_37_1`
variable is now kind of awkward as it refers to Git v2.37.4.gl1. We're
phasing out this Git version anyway though, so it doesn't feel worth it
to adjust naming of this variable now.
Changelog: fixed
|
|
In our nightly CI jobs we test with Git's `main` respectivey `next`
branch. Starting with 8bd7becbb (Makefile: Use Gitaly's tagged Git
versions instead of ad-hoc patching, 2022-11-11), we unconditionally
write the `GIT_VERSION` into Git's source tree to override the version
that e.g. `git --version` would report. But when `GIT_VERSION=master`,
then we fail to parse the Git version in Gitaly and thus fail all code
paths that depend on this.
Fix this by introducing a new variable that, if set, skips overriding
the Git version. This variable is set in our nightly jobs now.
|
|
[ci skip]
|
|
[ci skip]
|
|
|
|
[ci skip]
|
|
[ci skip]
|
|
Allow differing relative paths in ReplicateRepository (15.6)
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5081
Merged-by: Toon Claes <toon@gitlab.com>
Approved-by: karthik nayak <knayak@gitlab.com>
Approved-by: Toon Claes <toon@gitlab.com>
Co-authored-by: Sami Hiltunen <shiltunen@gitlab.com>
|
|
ReplicateRepository checks that the relative paths of the source and
the target repositories are the same. This is more of a sanity check
than a requirement. With Prafect rewriting relative paths, this check
fails and causes ReplicateRepository to fail with Praefect in front.
Previously the tests were not running with Praefect enabled which
allowed for this regression to slip through. This commit removes the
check which allows the RPC to work with Praefect enabled. The target
repository has a rewritten relative path as it's where the Gitaly will
store the replicated repository. The source repository's path is not
rewritten by Praefect as Gitaly fetches it by going through the source
storage. If the source storage is hosted by a Praefect, the relative
path would be rewritten at that point by Praefect.
Changelog: fixed
|
|
ReplicateRepository tests are run without Praefect in front of the
Gitalys. This means we don't cover the RPC at all with Praefect which
has allowed a regression to slip through the tests. This commit enables
Praefect in these test cases and for now correctly asserts the behavior
divergence between Praefect and Gitaly. Due to relative path rewriting
in Praefect, the relative paths are equal validation check fails.
TestReplicateRepositoryTransactional still runs with Praefect disabled
as it is testing the transactional behavior and needs to override the
TransactionService. Same goes for TestFetchInternalRemote_successful.
|
|
Our helper for setting up a Praefect server in front of Gitaly nodes
in tests does not set up multiple virtual storages if the Gitaly nodes
have been configured with multiple storages. This makes the helper
unusable in tests which exercise multiple Gitaly storages which causes
us to not cover all of the behavior in tests. This commit configures a
virtual storage for each of the storages a test case configures for
Gitaly so we can better cover these cases with Praefect as well.
|
|
Praefect has an artificial constraint where the configuration is
validated not to have multiple storages hosted by a given Gitaly.
This is not a real requirement. It should be possible to host
multiple storages in a virtual storage on a given Gitaly node. It's
not generally a good idea though given a single node doesn't offer
redundancy. There's shouldn't be a reason to fail hard on this, so
let's remove the check.
Changelog: fixed
|
|
[ci skip]
|
|
[ci skip]
|
|
[ci skip]
|
|
Revert "Merge branch 'wc/user-commit-files-structured-errors' into 'master'"
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5064
Merged-by: Sami Hiltunen <shiltunen@gitlab.com>
Co-authored-by: Patrick Steinhardt <psteinhardt@gitlab.com>
|
|
This reverts merge request !4988
|
|
doc: Add team calendar to onboarding steps
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5055
Merged-by: Quang-Minh Nguyen <qmnguyen@gitlab.com>
Approved-by: Quang-Minh Nguyen <qmnguyen@gitlab.com>
Co-authored-by: Andras Horvath <ahorvath@gitlab.com>
|
|
Praefect: Remove clock drift readiness check
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5040
Merged-by: Will Chandler <wchandler@gitlab.com>
Approved-by: Steve Azzopardi <sazzopardi@gitlab.com>
Approved-by: karthik nayak <knayak@gitlab.com>
Approved-by: Pavlo Strokov <pstrokov@gitlab.com>
Co-authored-by: Justin Tobler <jtobler@gitlab.com>
|
|
Upgrade redis gem to v4.8.0
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5056
Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Stan Hu <stanhu@gmail.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>
|
|
Enable SHA256 mode tests - Low hanging fruit
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5030
Merged-by: Justin Tobler <jtobler@gitlab.com>
Approved-by: Patrick Steinhardt <psteinhardt@gitlab.com>
Approved-by: Justin Tobler <jtobler@gitlab.com>
Co-authored-by: James Fargher <jfargher@gitlab.com>
|
|
blob: Return InvalidArgument error code for invalid input
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5049
Merged-by: Pavlo Strokov <pstrokov@gitlab.com>
Approved-by: Christian Couder <chriscool@tuxfamily.org>
|
|
An invalid request should return an InvalidArgument code to
the caller. Seems like it was broken on one of the
last refactoring or was not done correctly initially. In any
case now it returns a proper code.
This change also simplifies error creation using helpers.
|
|
|