gitdata.ai/gitks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(bare): enhance security and performance optimizations

Browse Source 
- Remove unnecessary sorting in advertise_refs for deterministic output
- Add path traversal detection and validation in bare_dir construction
- Implement symlink resolution checks to prevent security vulnerabilities
- Refactor cache system with CRC validation and improved metrics
- Integrate repo-specific cache invalidation using indexed keys
- Add comprehensive unit tests for commit operations and diff functionality
- Move configuration constants to centralized config module
- Optimize string operations in disk cache random value generation
- Enhance license detection algorithm with cleaner matching logic
- Streamline argument processing in various git operations
- Update dependencies including crc32fast and flate2 for performance
- Add signal handling capability to tokio runtime configuration
This commit is contained in:
zhenyi
2026-06-12 15:04:12 +08:00
parent e386f44ee2
commit 10a4398e81
41 changed files with 1373 additions and 365 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pack/advertise_refs.rs
-2
View File
@@ -42,7 +42,6 @@ impl GitBare {
symbolic_target,
});
}
// Sort by name for deterministic output
references.sort_by(|a, b| a.name.cmp(&b.name));
Ok(AdvertiseRefsResponse {
references,
@@ -68,7 +67,6 @@ impl GitBare {
let bare_dir_str = self.bare_dir.to_string_lossy().into_owned();
let stateless = request.protocol.as_ref().is_some_and(|p| p.stateless);
// Default to upload-pack if service is unspecified
let subcommand = if request.service == "git-receive-pack" {
"receive-pack"
} else {
pack/index_pack.rs
-5
View File
@@ -18,7 +18,6 @@ impl GitBare {
let pack_dir = self.bare_dir.join("objects").join("pack");
std::fs::create_dir_all(&pack_dir).map_err(GitError::Io)?;
// Stream pack data to a temp file instead of accumulating in memory
let mut tmp_file = tempfile::Builder::new()
.prefix("tmp_index_pack_")
.tempfile_in(&pack_dir)
@@ -41,7 +40,6 @@ impl GitBare {
return Err(GitError::InvalidArgument("empty pack data".into()));
}
// Flush and get the path before we pass it to git
tmp_file.flush().map_err(GitError::Io)?;
let tmp_path = tmp_file.path().to_path_buf();
@@ -64,7 +62,6 @@ impl GitBare {
.unchecked()
.run()?;
// Drop the temp file handle — git index-pack has processed it
drop(tmp_file);
if !result.status.success() {
@@ -74,7 +71,6 @@ impl GitBare {
});
}
// Parse the output to extract the pack hash
let output = String::from_utf8_lossy(&result.stdout);
let stderr = String::from_utf8_lossy(&result.stderr);
let all_output = format!("{output}\n{stderr}");
@@ -96,7 +92,6 @@ impl GitBare {
})
.next();
// Try to get object count from .idx if it exists
let mut object_count = 0u64;
if let Some(ref hash) = pack_hash {
let idx_path = pack_dir.join(format!("pack-{hash}.idx"));
pack/list_packfiles.rs
-1
View File
@@ -30,7 +30,6 @@ impl GitBare {
.filter(|hex| !hex.is_empty())
.map(|hex| self.oid_to_pb(hex));
// Count objects
let mut object_count = 0u64;
if let Some(hash_str) = base_name.strip_prefix("pack-") {
let idx_path = pack_dir.join(format!("pack-{hash_str}.idx"));
pack/receive_pack.rs
+1 -9
View File
@@ -1,5 +1,4 @@
use std::process::Stdio;
use std::time::Duration;
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::process::Command;
@@ -8,13 +7,9 @@ use tokio_stream::wrappers::ReceiverStream;
use super::CancellableReceiverStream;
use crate::bare::GitBare;
use crate::config::{MAX_RECEIVE_PACKET_BYTES, MAX_RECEIVE_STDERR_BYTES, RECEIVE_PACK_TIMEOUT};
use crate::pb::ReceivePackResponse;
/// Maximum time allowed for a git receive-pack process before it is killed.
const RECEIVE_PACK_TIMEOUT: Duration = Duration::from_secs(1800); // 30 minutes
const MAX_RECEIVE_PACKET_BYTES: usize = 16 * 1024 * 1024;
const MAX_RECEIVE_STDERR_BYTES: u64 = 64 * 1024;
impl GitBare {
/// Receive pack data using git-receive-pack with true concurrent streaming.
///
@@ -41,7 +36,6 @@ impl GitBare {
let (tx, rx) = tokio::sync::mpsc::channel(16);
// Use a cancellation token to track client disconnect
let cancel_token = tokio_util::sync::CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
@@ -154,7 +148,6 @@ impl GitBare {
}
};
// Run all three concurrently with timeout
let _process_future = tokio::join!(stdin_task, stdout_task, stderr_task);
match tokio::time::timeout(RECEIVE_PACK_TIMEOUT, child.wait()).await {
@@ -189,7 +182,6 @@ impl GitBare {
}
});
// When the ReceiverStream is dropped (client disconnect), cancel the background task
let rx_stream = ReceiverStream::new(rx);
let cancel_guard = cancel_token_clone.clone().drop_guard();
pack/upload_pack.rs
-6
View File
@@ -41,11 +41,9 @@ impl GitBare {
let (tx, rx) = tokio::sync::mpsc::channel(16);
// Use a cancellation token to track client disconnect
let cancel_token = tokio_util::sync::CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
// Move input into the spawned task to make it 'static
let stream = Box::pin(input);
tokio::spawn(async move {
let stream = stream;
@@ -77,7 +75,6 @@ impl GitBare {
let mut stdout = child.stdout.take();
let mut stderr = child.stderr.take();
// Concurrent: write stdin packets, read stdout chunks, read stderr
let stdin_task = {
let mut stream = stream;
let cancel = cancel_token.clone();
@@ -102,7 +99,6 @@ impl GitBare {
Err(_) => break,
}
}
// Close stdin to signal end-of-input
drop(stdin);
}
}
@@ -157,7 +153,6 @@ impl GitBare {
}
};
// Run all three concurrently with timeout
let _process_future = tokio::join!(stdin_task, stdout_task, stderr_task);
match tokio::time::timeout(UPLOAD_PACK_TIMEOUT, child.wait()).await {
@@ -192,7 +187,6 @@ impl GitBare {
}
});
// When the ReceiverStream is dropped (client disconnect), cancel the background task
let rx_stream = ReceiverStream::new(rx);
let cancel_guard = cancel_token_clone.clone().drop_guard();