New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: allow go-import tags to point to file:// URLs #37832
Comments
The CL in question enabled the use of For |
Since you're implementing an HTTP server anyway, why not implement the
A |
In fact the server is available using HTTP and not HTTPS, since, being on localhost, a trusted certificate is not necessary and I don't want to install a self signed certificate in the system. Thanks. |
A I don't see any fundamental technical reason why a |
I do plan to also implement the The advantage of a |
I have to correct myself. The |
If there is an appropriate entry in the However, there is no way to tell the |
And with a non standard port:
|
Port 80 should be |
Also, a |
Change https://golang.org/cl/223339 mentions this issue: |
Posted a CL for consideration. I'm still not sure whether we want it, but behind the |
Thanks. As I wrote, it would be useful for allowing the use of local private modules without having to change too many configuration files (like With an HTTP server implementing the As an example:
These variables can be automatically set by the server at startup. |
@bcmills: what contract should try to prove the integration test? |
@perillo, I think the (But I'd want to get a consensus on that from the others I CC'd before actually committing to that behavior.) |
Can you clarify the exfiltration attack you mentioned? I have tried to google for exfiltration attacks against git, and found only https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10857. Thanks. |
Also note that one can implement a custom remote protocol So I don't think that the |
Suppose that I know (perhaps because the server's code and configuration are open-source) that a server running some Then I could set up a server at <meta name="go-import" content="example.com/evil git file:///etc/secret.git"> Then I could run So a public proxy generally should not follow a |
Thanks. Is it correct to say that this is a problem of missing validation by a server software (the The |
No, that is not correct. A |
Isn't this in contrast with https://golang.org/pkg/archive/zip/#FileHeader ? Thanks. |
What does
|
|
The |
From the point of view of the user of the The protocol policy was added in this commit: git/git@f1762d7 Note how the git team consider the |
I think that the problem of a Go module proxy implemented using the What about updating the
Thanks |
As noted earlier, there is no point of user interaction in between the The insecurity is not in the |
I assume that the flow of a Go proxy is
The security is in 4, since when using the With the additional fields in the These fields can also be used for statistical purpose. |
Yes, that is correct. Security at step (4) requires the user to explicitly check for metadata. We want the default behavior — without checking metadata — to be secure, so step (3) must not succeed in the insecure scenario unless the user has taken explicit action to opt-in. |
Sorry for taking so long to respond. The problem with this proposal is that it mixes remote and local contexts. A remote, untrusted, potentially attacker-controlled source gets to make the go client perform actions on a local resource, which would otherwise not be accessible to the attacker. That's recipe for disaster. Beyond the proxy example @bcmills already identified, any behaviors that surface contents of a module being fetched become attacker controlled. For example if that module has some secret dependencies, they will presumably be fetched. Gating it behind To draw a parallel with browsers, this is the difference between HTTPS warnings (for which This will be a massive security liability, and I strongly recommend against implementing it. |
Thanks for the response. If As for my proxy, I have implemented the Git HTTP protocol, so the |
I think this issue can be closed. Thanks. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I'm writing an HTTP server that implements vanity import paths for local modules.
Given an HTTP request, it searches the module in
GOPATH
and return an HTML page implementing thego-get
protocol, but using thefile
scheme instead ofhttps
.Example:
go get -insecure test.local/term
works correctly withgo1.12
but does not work with the current version, due to https://golang.org/cl/181037.The commit message says that the change was to add support to
file://
URLs, but it actually addedthat prevents the
file
scheme from working.I have commented that code in
gotip
, andgo get
works fine.Why disallow the
file
scheme? As far as I understand, therepo-root
will be consumed by git, not the go tool.The text was updated successfully, but these errors were encountered: