Hi, I'm currently writing a webserver (REST API) which will run certain git commands such as "git clone" when a repository link is given via endpoint. I'm wondering how can I make this secure. There are a couple of security flaws that I could think of:<p>- cloning a huge repository will take a long time (how can I check the repository size?)<p>- cloning a couple of repositories at the same time might make the server slow<p>- running shell commands on the actual system might be dangerous<p>First thing I thought of was running these git commands in Docker. But I'm not sure that's applicable since everything will be running inside Docker anyways. What would be the best way of doing this?
Look at <a href="https://nodered.org/" rel="nofollow">https://nodered.org/</a> , many people use it for automating stuff.<p>The DIY version:<p>I'm sure there are better ways, but that's how I would do it:<p>> how can I check the repository size?<p>[1] <a href="https://stackoverflow.com/questions/8185276/find-size-of-git-repository" rel="nofollow">https://stackoverflow.com/questions/8185276/find-size-of-git...</a><p>> cloning a couple of repositories at the same time might make the server slow<p>long running operations must run asynchronously. I would implement that as: client sends HTTP request to the server, server responds with a job ID and creates a temp directory with a random name containing information about the job (eg parameters). A scheduler (cron?) picks up the job, changes status, executes it. The scheduler can decide on parallelisation. The scheduler must run as a low-privileged user, possibly in a container as you suggested. The client needs to poll the server for job status.<p>> running shell commands on the actual system might be dangerous<p>The method described earlier partly mitigates that as the process doesn't run in the web server. I would create special job types (eg. one shell script for checking out, one for committing, one for pushing etc) and sanitise arguments (eg. no weird characters allowed). Running each job run in a sub directory of its own limits spill-over.
Don't run web services as root.<p>Use net capabilities if you need tcp port bindings below 1024.<p>I'd also recommend running the git commands inside a forked process with another user in the same group (which has limited access to the filesystem). Alternatively use the git user/group and add the web service daemon user to the git group.<p>Also check that your linux distribution doesn't have binaries with the sticky flag set which could be used for privilege escalation. Double-check the list of gtfobins against your system's installed packages/binaries.<p>[1] <a href="https://gtfobins.github.com" rel="nofollow">https://gtfobins.github.com</a>
Look into using ‘sudo’.
Sudo is not just for running things as root.
It can also be used to allow a web service (Apache+PHP) to call a specific program (git) as a specific user (e.g. nobody).