diff options
| author | Joey Hess <joeyh@joeyh.name> | 2018-06-21 11:35:27 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2018-06-21 11:36:36 -0400 |
| commit | 4315bb9e421f2c643e517d8982c6c35b1909c78b (patch) | |
| tree | 66735764fd2d2b7a7d2a05063c86ab59d75dd966 /Types/Remote.hs | |
| parent | 537935333f58b4120405bb15a614213fb237d72e (diff) | |
add retrievalSecurityPolicy
This will be used to protect against CVE-2018-10859, where an encrypted
special remote is fed the wrong encrypted data, and so tricked into
decrypting something that the user encrypted with their gpg key and did
not store in git-annex.
It also protects against CVE-2018-10857, where a remote follows a http
redirect to a file:// url or to a local private web server. While that's
already been prevented in git-annex's own use of http, external special
remotes, hooks, etc use other http implementations and could still be
vulnerable.
The policy is not yet enforced, this commit only adds the appropriate
metadata to remotes.
This commit was sponsored by Boyd Stephen Smith Jr. on Patreon.
Diffstat (limited to 'Types/Remote.hs')
| -rw-r--r-- | Types/Remote.hs | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/Types/Remote.hs b/Types/Remote.hs index f50bcef693..9f61f7041d 100644 --- a/Types/Remote.hs +++ b/Types/Remote.hs @@ -2,7 +2,7 @@ - - Most things should not need this, using Types instead - - - Copyright 2011-2017 Joey Hess <id@joeyh.name> + - Copyright 2011-2018 Joey Hess <id@joeyh.name> - - Licensed under the GNU GPL version 3 or higher. -} @@ -18,6 +18,7 @@ module Types.Remote , Availability(..) , Verification(..) , unVerified + , RetrievalSecurityPolicy(..) , isExportSupported , ExportActions(..) ) @@ -85,6 +86,8 @@ data RemoteA a = Remote -- Retrieves a key's contents to a tmp file, if it can be done cheaply. -- It's ok to create a symlink or hardlink. , retrieveKeyFileCheap :: Key -> AssociatedFile -> FilePath -> a Bool + -- Security policy for reteiving keys from this remote. + , retrievalSecurityPolicy :: RetrievalSecurityPolicy -- Removes a key's contents (succeeds if the contents are not present) , removeKey :: Key -> a Bool -- Uses locking to prevent removal of a key's contents, @@ -165,6 +168,32 @@ unVerified a = do ok <- a return (ok, UnVerified) +-- Security policy indicating what keys can be safely retrieved from a +-- remote. +data RetrievalSecurityPolicy + = RetrievalVerifiableKeysSecure + -- ^ Transfer of keys whose content can be verified + -- with a hash check is secure; transfer of unverifiable keys is + -- not secure and should not be allowed. + -- + -- This is used eg, when HTTP to a remote could be redirected to a + -- local private web server or even a file:// url, causing private + -- data from it that is not the intended content of a key to make + -- its way into the git-annex repository. + -- + -- It's also used when content is stored encrypted on a remote, + -- which could replace it with a different encrypted file, and + -- trick git-annex into decrypting it and leaking the decryption + -- into the git-annex repository. + -- + -- It's not (currently) used when the remote could alter the + -- content stored on it, because git-annex does not provide + -- strong guarantees about the content of keys that cannot be + -- verified with a hash check. + -- (But annex.securehashesonly does provide such guarantees.) + | RetrievalAllKeysSecure + -- ^ Any key can be securely retrieved. + isExportSupported :: RemoteA a -> a Bool isExportSupported r = exportSupported (remotetype r) (config r) (gitconfig r) |