Mercurial > hg
view tests/test-hgweb-csp.t @ 37147:a2566597acb5
lfs: add basic routing for the server side wire protocol processing
The recent hgweb refactoring yielded a clean point to wrap a function that could
handle this, so I moved the routing for this out of the core. While not an hg
wire protocol, this seems logically close enough. For now, these handlers do
nothing other than check permissions.
The protocol requires support for PUT requests, so that has been added to the
core, and funnels into the same handler as GET and POST. The permission
checking code was assuming that anything not checking 'pull' or None ops should
be using POST. But that breaks the upload check if it checks 'push'. So I
invented a new 'upload' permission, and used it to avoid the mandate to POST. A
function wrap point could be added, but security code should probably stay
grouped together. Given that anything not 'pull' or None was requiring POST,
the comment on hgweb.common.permhooks is probably wrong- there is no 'read'.
The rationale for the URIs is that the spec for the Batch API[1] defines the URL
as the LFS server url + '/objects/batch'. The default git URLs are:
Git remote: https://git-server.com/foo/bar
LFS server: https://git-server.com/foo/bar.git/info/lfs
Batch API: https://git-server.com/foo/bar.git/info/lfs/objects/batch
'.git/' seems like it's not something a user would normally track. If we adhere
to how git defines the URLs, then the hg-git extension should be able to talk to
a git based server without any additional work.
The URI for the transfer requests starts with '.hg/' to ensure that there are no
conflicts with tracked files. Since these are handed out by the Batch API, we
can change this at any point in the future. (Specifically, it might be a good
idea to use something under the proposed /api/ namespace.) In any case, no
files are stored at these locations in the repository directory.
I started a new module for this because it seems like a good idea to keep all of
the security sensitive server side code together. There's also an issue with
`hg verify` in that it will want to download *all* blobs in order to run.
Sadly, there's no way in the protocol to ask the server to verify the content of
a blob it may have. (The verify action is for storing files on a 3rd party
server, and then informing the LFS server when that completes.) So we may end
up implementing a custom transfer adapter that simply indicates if the blobs are
valid, and fall back to basic transfers for non-hg servers. In other words,
this code is likely to get bigger before this is made non-experimental.
[1] https://github.com/git-lfs/git-lfs/blob/master/docs/api/batch.md
| author | Matt Harbison <matt_harbison@yahoo.com> |
|---|---|
| date | Sat, 17 Mar 2018 01:23:01 -0400 |
| parents | 45a816361926 |
| children | d105bbb74658 |
line wrap: on
line source
#require serve $ cat > web.conf << EOF > [paths] > / = $TESTTMP/* > EOF $ hg init repo1 $ cd repo1 $ touch foo $ hg -q commit -A -m initial $ cd .. $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf $ cat hg.pid >> $DAEMON_PIDS repo index should not send Content-Security-Policy header by default $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag 200 Script output follows static page should not send CSP by default $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows repo page should not send CSP by default, should send ETag $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag 200 Script output follows etag: W/"*" (glob) $ killdaemons.py Configure CSP without nonce $ cat >> web.conf << EOF > [web] > csp = script-src https://example.com/ 'unsafe-inline' > EOF $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf $ cat hg.pid > $DAEMON_PIDS repo index should send Content-Security-Policy header when enabled $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' static page should send CSP when enabled $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' repo page should send CSP by default, include etag w/o nonce $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag 200 Script output follows content-security-policy: script-src https://example.com/ 'unsafe-inline' etag: W/"*" (glob) nonce should not be added to html if CSP doesn't use it $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script' <script type="text/javascript" src="/repo1/static/mercurial.js"></script> <script type="text/javascript"> <script type="text/javascript"> Configure CSP with nonce $ killdaemons.py $ cat >> web.conf << EOF > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%' > EOF $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf $ cat hg.pid > $DAEMON_PIDS nonce should be substituted in CSP header $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) nonce should be included in CSP for static pages $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) repo page should have nonce, no ETag $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) nonce should be added to html when used $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script' content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) <script type="text/javascript" src="/repo1/static/mercurial.js"></script> <script type="text/javascript" nonce="*"> (glob) <script type="text/javascript" nonce="*"> (glob) hgweb_mod w/o hgwebdir works as expected $ killdaemons.py $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'" $ cat hg.pid > $DAEMON_PIDS static page sends CSP $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag 200 Script output follows content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) nonce included in <script> and headers $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script' content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob) <script type="text/javascript" src="/static/mercurial.js"></script> <script type="text/javascript" nonce="*"> (glob) <script type="text/javascript" nonce="*"> (glob)