From: "Kristoffer Haugsbakk" <kristofferhaugsbakk@fastmail•com>
To: "Christian Couder" <christian.couder@gmail•com>, git@vger•kernel.org
Cc: "Junio C Hamano" <gitster@pobox•com>,
"Patrick Steinhardt" <ps@pks•im>, "Taylor Blau" <me@ttaylorr•com>,
"Karthik Nayak" <karthik.188@gmail•com>,
"Elijah Newren" <newren@gmail•com>, "Toon Claes" <toon@iotcl•com>,
"Christian Couder" <chriscool@tuxfamily•org>
Subject: Re: [PATCH v3 6/8] promisor-remote: trust known remotes matching acceptFromServerUrl
Date: Sat, 23 May 2026 17:17:20 +0200 [thread overview]
Message-ID: <97b9f2cd-7c82-4d4c-b574-31176074e566@app.fastmail.com> (raw)
In-Reply-To: <20260519153808.494105-7-christian.couder@gmail.com>
On Tue, May 19, 2026, at 17:38, Christian Couder wrote:
>[snip]
>
> Let's then use this helper in should_accept_remote() so that, a known
> remote whose URL matches the allowlist is accepted.
I don’t understand this comma break?
>
> To prepare for this new logic, let's also:
>
>[snip]
>
> Signed-off-by: Christian Couder <chriscool@tuxfamily•org>
The rest of the commit message looks good to me.
> ---
> Documentation/config/promisor.adoc | 74 +++++++++++++++++++
> Documentation/gitprotocol-v2.adoc | 9 ++-
> promisor-remote.c | 102 +++++++++++++++++++++++---
> t/t5710-promisor-remote-capability.sh | 71 ++++++++++++++++++
> 4 files changed, 242 insertions(+), 14 deletions(-)
>
> diff --git a/Documentation/config/promisor.adoc
>[snip]
> ++
> +Be _VERY_ careful with these patterns: `*` matches any sequence of
> +characters within the 'host' and 'path' parts of a URL (but cannot
> +cross part boundaries). An overly broad pattern is a major security
> +risk, as a matching URL allows a server to update fields (such as
> +authentication tokens) on known remotes without further confirmation.
> +To minimize security risks, follow these guidelines:
> ++
So this introduces a list of precautions to take.
> +1. Start with a secure protocol scheme, like `https://` or `ssh://`.
> ++
> +2. Only allow domain names or paths where you control and trust _ALL_
> + the content. Be especially careful with shared hosting platforms
> + like `github.com` or `gitlab.com`. A broad pattern like
> + `https://gitlab.com/*` is dangerous because it trusts every
> + repository on the entire platform. Always restrict such patterns to
> + your specific organization or namespace (e.g.,
> + `https://gitlab.com/your-org/*`).
> ++
> +3. Never use globs at the end of domain names. For example,
> + `https://cdn.your-org.com/*` might be safe, but
> + `https://cdn.your-org.com*/*` is a major security risk because
> + the latter matches `https://cdn.your-org.com.hacker.net/repo`.
> ++
> +4. Be careful using globs at the beginning of domain names. While the
> + code ensures a `*` in the host cannot cross into the path, a
> + pattern like `https://*.example.com/*` will still match any
> + subdomain. This is extremely dangerous on shared hosting platforms
> + (e.g., `https://*.github.io/*` trusts every user's site on the
> + entire platform).
The list seems to end here, because...
> ++
> +Before matching, both the advertised URL and the pattern are
> +normalized: the scheme and host are lowercased, percent-encoded
This next paragraph seems to go back to describing how things work. But
this paragraph as well as all of the following ones belong to this list
item:
4. Be careful using globs [...]
Before matching, [...]
The glob pattern can [...]
If a remote with the [...]
For the security implications [...]
promisor.checkFields
[...]
I don’t know what the intent is. But using an open block will delimit
the ordered list.
diff --git Documentation/config/promisor.adoc Documentation/config/promisor.adoc
index cc728bb0b5e..f07a2e883bd 100644
--- Documentation/config/promisor.adoc
+++ Documentation/config/promisor.adoc
@@ -109,6 +109,7 @@ and to update fields (such as authentication tokens) on known remotes
without further confirmation. To minimize security risks, follow these
guidelines:
+
+--
1. Start with a secure protocol scheme, like `https://` or `ssh://`.
+
2. Only allow domain names or paths where you control and trust _ALL_
@@ -130,6 +131,7 @@ guidelines:
subdomain. This is extremely dangerous on shared hosting platforms
(e.g., `https://*.github.io/*` trusts every user's site on the
entire platform).
+--
+
Before matching, both the advertised URL and the pattern are
normalized: the scheme and host are lowercased, percent-encoded
>[snip]
next prev parent reply other threads:[~2026-05-23 15:17 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-23 11:11 [PATCH 0/9] Implement `promisor.storeFields` and `--filter=auto` Christian Couder
2025-12-23 11:11 ` [PATCH 1/9] promisor-remote: refactor initialising field lists Christian Couder
2025-12-23 11:11 ` [PATCH 2/9] promisor-remote: allow a client to store fields Christian Couder
2026-01-07 10:05 ` Patrick Steinhardt
2026-02-04 10:20 ` Christian Couder
2025-12-23 11:11 ` [PATCH 3/9] clone: make filter_options local to cmd_clone() Christian Couder
2025-12-23 11:11 ` [PATCH 4/9] fetch: make filter_options local to cmd_fetch() Christian Couder
2026-01-07 10:05 ` Patrick Steinhardt
2025-12-23 11:11 ` [PATCH 5/9] doc: fetch: document `--filter=<filter-spec>` option Christian Couder
2025-12-26 13:33 ` Jean-Noël AVILA
2026-02-04 11:19 ` Christian Couder
2025-12-23 11:11 ` [PATCH 6/9] list-objects-filter-options: support 'auto' mode for --filter Christian Couder
2026-01-07 10:05 ` Patrick Steinhardt
2026-02-04 10:21 ` Christian Couder
2025-12-23 11:11 ` [PATCH 7/9] list-objects-filter-options: implement auto filter resolution Christian Couder
2026-01-07 10:05 ` Patrick Steinhardt
2026-02-04 10:29 ` Christian Couder
2026-02-11 11:48 ` Patrick Steinhardt
2026-02-12 10:07 ` Christian Couder
2025-12-23 11:11 ` [PATCH 8/9] promisor-remote: keep advertised filter in memory Christian Couder
2026-01-07 10:05 ` Patrick Steinhardt
2026-02-04 10:57 ` Christian Couder
2026-02-11 11:48 ` Patrick Steinhardt
2026-02-11 16:59 ` Junio C Hamano
2026-02-12 10:07 ` Christian Couder
2025-12-23 11:11 ` [PATCH 9/9] fetch-pack: wire up and enable auto filter logic Christian Couder
2026-01-07 10:05 ` Patrick Steinhardt
2026-02-04 11:06 ` Christian Couder
2026-02-04 11:08 ` [PATCH v2 0/8] Implement `promisor.storeFields` and `--filter=auto` Christian Couder
2026-02-04 11:08 ` [PATCH v2 1/8] promisor-remote: refactor initialising field lists Christian Couder
2026-02-04 11:08 ` [PATCH v2 2/8] promisor-remote: allow a client to store fields Christian Couder
2026-02-04 11:08 ` [PATCH v2 3/8] clone: make filter_options local to cmd_clone() Christian Couder
2026-02-04 11:08 ` [PATCH v2 4/8] fetch: make filter_options local to cmd_fetch() Christian Couder
2026-02-04 11:08 ` [PATCH v2 5/8] doc: fetch: document `--filter=<filter-spec>` option Christian Couder
2026-02-11 11:48 ` Patrick Steinhardt
2026-02-12 10:06 ` Christian Couder
2026-02-04 11:08 ` [PATCH v2 6/8] list-objects-filter-options: support 'auto' mode for --filter Christian Couder
2026-02-04 11:08 ` [PATCH v2 7/8] promisor-remote: keep advertised filters in memory Christian Couder
2026-02-04 11:08 ` [PATCH v2 8/8] fetch-pack: wire up and enable auto filter logic Christian Couder
2026-02-11 11:48 ` Patrick Steinhardt
2026-02-12 10:07 ` Christian Couder
2026-02-12 10:08 ` [PATCH v3 0/9] Implement `promisor.storeFields` and `--filter=auto` Christian Couder
2026-02-12 10:08 ` [PATCH v3 1/9] promisor-remote: refactor initialising field lists Christian Couder
2026-02-12 10:08 ` [PATCH v3 2/9] promisor-remote: allow a client to store fields Christian Couder
2026-02-12 10:08 ` [PATCH v3 3/9] clone: make filter_options local to cmd_clone() Christian Couder
2026-02-12 10:08 ` [PATCH v3 4/9] fetch: make filter_options local to cmd_fetch() Christian Couder
2026-02-12 10:08 ` [PATCH v3 5/9] doc: fetch: document `--filter=<filter-spec>` option Christian Couder
2026-02-12 10:08 ` [PATCH v3 6/9] list-objects-filter-options: support 'auto' mode for --filter Christian Couder
2026-02-14 2:35 ` Jeff King
2026-02-16 13:26 ` Christian Couder
2026-02-12 10:08 ` [PATCH v3 7/9] promisor-remote: keep advertised filters in memory Christian Couder
2026-02-12 10:08 ` [PATCH v3 8/9] promisor-remote: change promisor_remote_reply()'s signature Christian Couder
2026-02-13 11:25 ` Patrick Steinhardt
2026-02-12 10:08 ` [PATCH v3 9/9] fetch-pack: wire up and enable auto filter logic Christian Couder
2026-02-13 11:26 ` Patrick Steinhardt
2026-02-13 11:26 ` [PATCH v3 0/9] Implement `promisor.storeFields` and `--filter=auto` Patrick Steinhardt
2026-02-16 13:23 ` [PATCH v4 " Christian Couder
2026-02-16 13:23 ` [PATCH v4 1/9] promisor-remote: refactor initialising field lists Christian Couder
2026-02-16 13:23 ` [PATCH v4 2/9] promisor-remote: allow a client to store fields Christian Couder
2026-02-16 13:23 ` [PATCH v4 3/9] clone: make filter_options local to cmd_clone() Christian Couder
2026-02-16 13:23 ` [PATCH v4 4/9] fetch: make filter_options local to cmd_fetch() Christian Couder
2026-02-16 13:23 ` [PATCH v4 5/9] doc: fetch: document `--filter=<filter-spec>` option Christian Couder
2026-02-16 13:23 ` [PATCH v4 6/9] list-objects-filter-options: support 'auto' mode for --filter Christian Couder
2026-02-16 13:23 ` [PATCH v4 7/9] promisor-remote: keep advertised filters in memory Christian Couder
2026-02-16 13:23 ` [PATCH v4 8/9] promisor-remote: change promisor_remote_reply()'s signature Christian Couder
2026-02-16 13:23 ` [PATCH v4 9/9] fetch-pack: wire up and enable auto filter logic Christian Couder
2026-04-27 12:41 ` [PATCH v2 0/8] Auto-configure advertised remotes via URL allowlist Christian Couder
2026-04-27 12:41 ` [PATCH v2 1/8] t5710: simplify 'mkdir X' followed by 'git -C X init' Christian Couder
2026-04-27 12:41 ` [PATCH v2 2/8] urlmatch: change 'allow_globs' arg to bool Christian Couder
2026-04-27 12:41 ` [PATCH v2 3/8] urlmatch: add url_normalize_pattern() helper Christian Couder
2026-04-27 12:41 ` [PATCH v2 4/8] promisor-remote: add 'local_name' to 'struct promisor_info' Christian Couder
2026-05-04 11:46 ` Toon Claes
2026-04-27 12:41 ` [PATCH v2 5/8] promisor-remote: introduce promisor.acceptFromServerUrl Christian Couder
2026-04-27 12:41 ` [PATCH v2 6/8] promisor-remote: trust known remotes matching acceptFromServerUrl Christian Couder
2026-05-08 12:45 ` Toon Claes
2026-05-19 15:24 ` Christian Couder
2026-05-11 13:10 ` Toon Claes
2026-05-19 15:25 ` Christian Couder
2026-04-27 12:41 ` [PATCH v2 7/8] promisor-remote: auto-configure unknown remotes Christian Couder
2026-05-11 13:06 ` Toon Claes
2026-05-19 15:25 ` Christian Couder
2026-04-27 12:41 ` [PATCH v2 8/8] doc: promisor: improve acceptFromServer entry Christian Couder
2026-04-27 13:00 ` [PATCH v2 0/8] Auto-configure advertised remotes via URL allowlist Christian Couder
2026-05-19 15:38 ` [PATCH v3 " Christian Couder
2026-05-19 15:38 ` [PATCH v3 1/8] t5710: simplify 'mkdir X' followed by 'git -C X init' Christian Couder
2026-05-19 15:38 ` [PATCH v3 2/8] urlmatch: change 'allow_globs' arg to bool Christian Couder
2026-05-19 15:38 ` [PATCH v3 3/8] urlmatch: add url_normalize_pattern() helper Christian Couder
2026-05-19 15:38 ` [PATCH v3 4/8] promisor-remote: add 'local_name' to 'struct promisor_info' Christian Couder
2026-05-20 0:12 ` Junio C Hamano
2026-05-27 15:33 ` Christian Couder
2026-05-19 15:38 ` [PATCH v3 5/8] promisor-remote: introduce promisor.acceptFromServerUrl Christian Couder
2026-05-19 15:38 ` [PATCH v3 6/8] promisor-remote: trust known remotes matching acceptFromServerUrl Christian Couder
2026-05-23 15:17 ` Kristoffer Haugsbakk [this message]
2026-05-27 15:37 ` Christian Couder
2026-05-19 15:38 ` [PATCH v3 7/8] promisor-remote: auto-configure unknown remotes Christian Couder
2026-05-19 15:38 ` [PATCH v3 8/8] doc: promisor: improve acceptFromServer entry Christian Couder
2026-05-27 14:08 ` [PATCH v4 0/8] Auto-configure advertised remotes via URL allowlist Christian Couder
2026-05-27 14:08 ` [PATCH v4 1/8] t5710: simplify 'mkdir X' followed by 'git -C X init' Christian Couder
2026-05-27 14:08 ` [PATCH v4 2/8] urlmatch: change 'allow_globs' arg to bool Christian Couder
2026-05-27 14:08 ` [PATCH v4 3/8] urlmatch: add url_normalize_pattern() helper Christian Couder
2026-05-27 14:08 ` [PATCH v4 4/8] promisor-remote: add 'local_name' to 'struct promisor_info' Christian Couder
2026-05-27 14:08 ` [PATCH v4 5/8] promisor-remote: introduce promisor.acceptFromServerUrl Christian Couder
2026-05-27 14:08 ` [PATCH v4 6/8] promisor-remote: trust known remotes matching acceptFromServerUrl Christian Couder
2026-05-27 14:08 ` [PATCH v4 7/8] promisor-remote: auto-configure unknown remotes Christian Couder
2026-05-27 14:08 ` [PATCH v4 8/8] doc: promisor: improve acceptFromServer entry Christian Couder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97b9f2cd-7c82-4d4c-b574-31176074e566@app.fastmail.com \
--to=kristofferhaugsbakk@fastmail$(echo .)com \
--cc=chriscool@tuxfamily$(echo .)org \
--cc=christian.couder@gmail$(echo .)com \
--cc=git@vger$(echo .)kernel.org \
--cc=gitster@pobox$(echo .)com \
--cc=karthik.188@gmail$(echo .)com \
--cc=me@ttaylorr$(echo .)com \
--cc=newren@gmail$(echo .)com \
--cc=ps@pks$(echo .)im \
--cc=toon@iotcl$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox