delta/gitlab/gitlab-shell.git/lib/gitlab_shell.rb, branch use-ssh-key-internal-api

get git annex to work when using custom SSH port

2016-03-16T09:50:37+00:00

Merge branch 'stricter-exec_cmd' into 'master'

2015-12-01T15:32:37+00:00


Stricter exec cmd

In response to the gitlab-shell 2.6.6-2.6.7 remote code execution
vulnerability.

See merge request !33

Add comment about untrusted origin_cmd

2015-11-26T16:33:08+00:00

Merge branch 'y/git-home' into 'master'

2015-11-25T18:15:38+00:00


Pass $HOME to git as well

[ this patch has the same rationale and reasoning as
  https://gitlab.com/gitlab-org/gitlab-workhorse/commit/0d0bd209

  details follow ]

Git has 3 places for configs:

    - system
    - global (per user), and
    - local  (per repository)

System config location is hardcoded at git compile time (to usually
$prefix/etc/gitconfig). Local configuration is usually picked because we
pass full repo path to subcommand. But global configuration is currently not
picked at all, because HOME env variable is not passed to git.

Pass $HOME through and let git see it's "global" config.

Currently GitLab omnibus stores gitlab user name/email  + "autocrlf =
true" in global config, so missing it should not be a blocker for
receive/send-pack operations. But having it is more correct and can be
handy in the future if/when more git operations are done from-under
gitlab-shell.

Having $HOME properly set is also needed when one cannot change system
git config and have to put site-wide configuration into global git
config under $HOME.

That was the case I've hit and the reason for this patch.

/cc @dzaporozhets, @jacobvosmaer

See merge request !32

Limit availability of SSH_ORIGINAL_COMMAND

2015-11-25T16:53:31+00:00

Hoping this makes it more obvious when code touches the very
unsafe contents of this variable.

Disallow execing strings

2015-11-25T16:40:01+00:00

Passing strings to Kernel::exec leads to remote code execution.

Revert "Run git-lfs-authenticate script with original command line arguments"

2015-11-25T11:55:05+00:00

This reverts commit 8449979ff029af51be0c675c5b6262bc4adc8b3d.

Signed-off-by: Dmitriy Zaporozhets

Pass $HOME to git as well

2015-11-24T17:34:12+00:00

[ this patch has the same rationale and reasoning as
  https://gitlab.com/gitlab-org/gitlab-workhorse/commit/0d0bd209

  details follow ]

Git has 3 places for configs:

    - system
    - global (per user), and
    - local  (per repository)

System config location is hardcoded at git compile time (to usually
$prefix/etc/gitconfig). Local configuration is usually picked because we
pass full repo path to subcommand. But global configuration is currently not
picked at all, because HOME env variable is not passed to git.

Pass $HOME through and let git see it's "global" config.

Currently GitLab omnibus stores gitlab user name/email  + "autocrlf =
true" in global config, so missing it should not be a blocker for
receive/send-pack operations. But having it is more correct and can be
handy in the future if/when more git operations are done from-under
gitlab-shell.

Having $HOME properly set is also needed when one cannot change system
git config and have to put site-wide configuration into global git
config under $HOME.

That was the case I've hit and the reason for this patch.

Merge branch 'master' of gitlab.com:gitlab-org/gitlab-shell into no-init-on-gcryptsetup

2015-10-01T09:48:08+00:00

Merge branch 'bozaro/gitlab-shell-git-lfs-authenticate'

2015-09-10T10:24:27+00:00

Signed-off-by: Dmitriy Zaporozhets