silberengel
/
gitrepublic-web
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 Commits
1 Branch
0 Tags
13 MiB
 
 
 
 
 
Tree: 143eb337da
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '143eb337da'
${ noResults }
gitrepublic-web/docs/SECURITY.md

7.2 KiB
Raw Blame History Escape

Security Analysis

Current Security Model

This is a multi-tenant system where multiple users (identified by Nostr pubkeys/npubs) share the same server instance with application-level isolation but no process or filesystem isolation.

Security Measures in Place

  1. Path Validation

    • File paths are validated and sanitized
    • Path traversal attempts (..) are blocked
    • Absolute paths are rejected
    • Null bytes and control characters are blocked
    • Path length limits enforced (4096 chars)

  2. Input Validation

    • npub format validation (must be valid bech32)
    • Repository name validation (alphanumeric, hyphens, underscores, dots only)
    • No path separators allowed in repo names

  3. Access Control

    • Repository ownership verified via Nostr events
    • Private repos require NIP-98 authentication
    • Maintainer checks before allowing write operations
    • Ownership transfer chain validation

  4. Path Construction

    • Uses path.join() which prevents path traversal
    • Repository path: join(repoRoot, npub, ${repoName}.git)
    • File paths within repos are validated separately

Security Concerns

Critical: No Process Isolation

Issue: All repositories run in the same Node.js process. If an attacker compromises one repository or finds a code execution vulnerability, they could potentially:

  • Access other users' repositories
  • Read/write files outside the repo directory
  • Access server configuration or secrets

Mitigation:

  • Path validation prevents most traversal attacks
  • Access control checks prevent unauthorized access
  • But a process-level compromise would bypass these

High: git-http-backend Security - IMPROVED

Previous Issue: git-http-backend was spawned with GIT_PROJECT_ROOT set to the entire repoRoot, allowing potential access to all repositories.

Current Protection ( IMPLEMENTED):

  • GIT_PROJECT_ROOT now set to specific repository path (not entire repoRoot)
  • PATH_INFO adjusted to be relative to the repository
  • Path validation ensures repository path is within repoRoot
  • Limits git-http-backend's view to only the intended repository

Remaining Concerns:

  • No chroot/jail isolation (git-http-backend still runs in same process context)
  • If git-http-backend has vulnerabilities, it could still access files within the repo
  • Runs as dedicated gitrepublic user (non-root) - IMPLEMENTED

Medium: No Resource Limits Per Tenant

Issue: No per-user resource limits:

  • One user could exhaust disk space (2GB per repo limit, but unlimited repos)
  • One user could exhaust memory/CPU
  • No rate limiting per user

Current Protection:

  • 2GB repository size limit
  • 500MB per-file limit
  • But no per-user quotas

Medium: Filesystem Access - IMPROVED

Previous Issue: Repository paths were not validated to ensure they stayed within repoRoot.

Current Protection ( IMPLEMENTED):

  • Repository path validation using resolve() to check absolute paths
  • Ensures resolved repository path starts with resolved repoRoot
  • Prevents path traversal attacks at the repository level
  • File path validation within repositories (already existed)
  • Access control checks for private repos

Remaining Concerns:

  • No chroot/jail isolation
  • All repos readable by the same process user
  • Relies on application logic, not OS-level isolation

Low: Network Isolation

Issue: All repos accessible from same endpoints:

  • No network-level isolation between tenants
  • All repos share same IP/domain

Impact: Low - this is expected for a multi-tenant service

Security Improvements Made

Implemented (2024)

  1. Repository Path Validation

    • Added resolve() checks to ensure repository paths stay within repoRoot
    • Prevents path traversal attacks at the repository level
    • Applied to all git operations (GET and POST handlers)

  2. git-http-backend Isolation

    • Changed GIT_PROJECT_ROOT from entire repoRoot to specific repository path
    • Adjusted PATH_INFO to be relative to the repository
    • Limits git-http-backend's view to only the intended repository

  3. File Path Validation (Already existed)

    • Validates file paths within repositories
    • Prevents path traversal within repos
    • Blocks absolute paths, null bytes, control characters

Recommendations

Implemented (2024)

  1. Resource Limits - IMPLEMENTED

    • Per-user repository count limits (configurable via MAX_REPOS_PER_USER)
    • Per-user disk quota (configurable via MAX_DISK_QUOTA_PER_USER)
    • Rate limiting per user/IP (configurable via RATE_LIMIT_* env vars)
    • Applied to fork operations and repository creation

  2. Audit Logging - IMPLEMENTED

    • Logs all repository access attempts
    • Logs all file operations (read/write/delete)
    • Logs authentication attempts
    • Logs ownership transfers
    • Structured JSON logging format

  3. Enhanced git-http-backend Security - IMPLEMENTED

    • Operation timeouts (5 minutes max)
    • Process isolation (no shell, minimal environment)
    • Audit logging for all git operations
    • Path validation and scoping
    • Chroot/jail still not implemented (complex, requires root or capabilities)

Remaining (Medium Priority)

Medium Priority

  1. Process Isolation (Complex)

    • Run each tenant in separate container/process
    • Use Docker with per-tenant containers
    • Significant architectural change

  2. Filesystem Isolation

    • Use bind mounts with restricted permissions
    • Implement per-tenant filesystem quotas
    • Use separate volumes per tenant

  3. Audit Logging - IMPLEMENTED

    • Log all repository access attempts
    • Log all file operations
    • Monitor for suspicious patterns (requires log analysis tools)

Long-term

  1. Container-per-Tenant Architecture

    • Each user gets their own container
    • Complete isolation
    • Higher resource overhead

  2. Kubernetes Namespaces

    • Use K8s namespaces for tenant isolation
    • Network policies for isolation
    • Resource quotas per namespace

Current Security Posture

For a decentralized, open-source git hosting service, the current security model is reasonable but not enterprise-grade:

Adequate for:

  • Public repositories
  • Open-source projects
  • Personal/community hosting
  • Low-to-medium security requirements

Not adequate for:

  • Enterprise multi-tenant SaaS
  • Highly sensitive/regulated data
  • Environments requiring strict compliance (HIPAA, PCI-DSS, etc.)
  • High-security government/military use

Conclusion

The system uses application-level security with good input validation and access control, but lacks OS-level isolation. This is a common trade-off for multi-tenant services - it's simpler and more resource-efficient, but less secure than process/container isolation.

Recommendation: For most use cases (public repos, open-source hosting), the current model is acceptable. For enterprise or high-security use cases, consider implementing process/container isolation.