gitdata.ai/gitks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(server): replace custom remote clients with macro-based implementation

Browse Source 
- Replaced manual remote client functions with remote_client! macro for archive, blame, branch, commit, and diff services
- Simplified remote client creation logic using declarative macro approach
- Maintained same functionality while reducing code duplication across services

security(bare): enhance path traversal protection with comprehensive validation

- Added early relative_path validation to prevent path traversal attacks
- Implemented unified path validation to avoid TOCTOU race conditions
- Enhanced canonicalization checks for both existing and non-existent paths
- Added detailed logging for path traversal detection attempts

feat(cache): migrate from CLruCache to Moka with TTL and invalidation support

- Replaced clru dependency with moka for improved caching capabilities
- Added 300-second time-to-live for cache entries
- Implemented repository-specific cache invalidation mechanism
- Enhanced cache operations with thread-safe async support

refactor(commit): improve security validation for commit operations

- Added ref name validation to prevent command injection in cherry_pick_commit
- Implemented revision validation for commit selectors
- Added comprehensive input validation for create_commit parameters
- Enhanced file path validation to prevent traversal
This commit is contained in:
zhenyi
2026-06-08 09:43:57 +08:00
parent 8c95eb230d
commit d243dce027
60 changed files with 1746 additions and 561 deletions
Download Patch File Download Diff File Expand all files Collapse all files
actor/sync.rs
+66 -31
View File
@@ -1,6 +1,6 @@
use std::path::PathBuf;
use crate::actor::message::RefUpdateEvent;
use crate::pb::Oid;
use std::path::{Path, PathBuf};
pub struct BundleApplicator {
pub repo_path: PathBuf,
@@ -13,7 +13,13 @@ impl BundleApplicator {
pub fn apply_bundle(&self, data: &[u8]) -> Result<(), String> {
let mut child = std::process::Command::new("git")
.args(["--git-dir", &self.repo_path.to_string_lossy(), "bundle", "unbundle", "-"])
.args([
"--git-dir",
&self.repo_path.to_string_lossy(),
"bundle",
"unbundle",
"-",
])
.stdin(std::process::Stdio::piped())
.stdout(std::process::Stdio::piped())
.stderr(std::process::Stdio::piped())
@@ -21,9 +27,13 @@ impl BundleApplicator {
.map_err(|e| format!("spawn git bundle unbundle: {e}"))?;
use std::io::Write;
if let Some(ref mut stdin) = child.stdin {
stdin.write_all(data).map_err(|e| format!("write bundle: {e}"))?;
stdin
.write_all(data)
.map_err(|e| format!("write bundle: {e}"))?;
}
let output = child.wait_with_output().map_err(|e| format!("wait bundle: {e}"))?;
let output = child
.wait_with_output()
.map_err(|e| format!("wait bundle: {e}"))?;
if !output.status.success() {
return Err(String::from_utf8_lossy(&output.stderr).into_owned());
}
@@ -31,7 +41,7 @@ impl BundleApplicator {
}
}
pub fn collect_local_haves(repo_path: &PathBuf) -> Result<Vec<Oid>, String> {
pub fn collect_local_haves(repo_path: &Path) -> Result<Vec<Oid>, String> {
let result = std::process::Command::new("git")
.args([
"--git-dir",
@@ -84,13 +94,13 @@ pub async fn sync_from_primary(event: RefUpdateEvent, local_repo_path: PathBuf)
match tokio::task::spawn_blocking(move || {
sync_via_pack_service(&grpc_addr, &relative_path, &repo_for_haves)
}).await {
})
.await
{
Ok(Ok(pack_data)) if !pack_data.is_empty() => {
let pack_len = pack_data.len();
let repo = local_repo_path.clone();
match tokio::task::spawn_blocking(move || {
apply_pack_data(&repo, &pack_data)
}).await {
match tokio::task::spawn_blocking(move || apply_pack_data(&repo, &pack_data)).await {
Ok(Ok(())) => {
update_local_ref(&local_repo_path, &event.ref_name, &event.new_oid);
tracing::info!(
@@ -99,27 +109,39 @@ pub async fn sync_from_primary(event: RefUpdateEvent, local_repo_path: PathBuf)
"replica sync done"
);
}
Ok(Err(e)) => tracing::error!(relative_path = %event.relative_path, error = %e, "pack apply failed"),
Err(e) => tracing::error!(relative_path = %event.relative_path, error = %e, "apply task failed"),
Ok(Err(e)) => {
tracing::error!(relative_path = %event.relative_path, error = %e, "pack apply failed")
}
Err(e) => {
tracing::error!(relative_path = %event.relative_path, error = %e, "apply task failed")
}
}
}
Ok(Ok(_)) => tracing::warn!(relative_path = %event.relative_path, "empty pack data from primary"),
Ok(Err(e)) => tracing::error!(relative_path = %event.relative_path, error = %e, "pack fetch failed"),
Err(e) => tracing::error!(relative_path = %event.relative_path, error = %e, "sync task failed"),
Ok(Ok(_)) => {
tracing::warn!(relative_path = %event.relative_path, "empty pack data from primary")
}
Ok(Err(e)) => {
tracing::error!(relative_path = %event.relative_path, error = %e, "pack fetch failed")
}
Err(e) => {
tracing::error!(relative_path = %event.relative_path, error = %e, "sync task failed")
}
}
}
fn sync_via_pack_service(
grpc_addr: &str,
relative_path: &str,
local_repo_path: &PathBuf,
local_repo_path: &Path,
) -> Result<Vec<u8>, String> {
let haves = collect_local_haves(local_repo_path)?;
let rt = tokio::runtime::Handle::current();
rt.block_on(async {
use crate::pb::pack_service_client::PackServiceClient;
use crate::pb::{AdvertiseRefsRequest, PackObjectsOptions, PackObjectsRequest, RepositoryHeader};
use crate::pb::{
AdvertiseRefsRequest, PackObjectsOptions, PackObjectsRequest, RepositoryHeader,
};
use tokio_stream::StreamExt;
let endpoint = crate::server::remote_endpoint(grpc_addr)
@@ -136,20 +158,21 @@ fn sync_via_pack_service(
storage_path: String::new(),
};
let refs_resp = client.advertise_refs(AdvertiseRefsRequest {
repository: Some(header.clone()),
protocol: None,
service: "upload-pack".to_string(),
}).await.map_err(|e| format!("AdvertiseRefs: {e}"))?;
let refs_resp = client
.advertise_refs(AdvertiseRefsRequest {
repository: Some(header.clone()),
protocol: None,
service: "upload-pack".to_string(),
})
.await
.map_err(|e| format!("AdvertiseRefs: {e}"))?;
let refs = refs_resp.into_inner().references;
if refs.is_empty() {
return Ok(Vec::new());
}
let wants: Vec<Oid> = refs.iter()
.filter_map(|r| r.target_oid.clone())
.collect();
let wants: Vec<Oid> = refs.iter().filter_map(|r| r.target_oid.clone()).collect();
let want_count = wants.len();
let have_count = haves.len();
@@ -178,7 +201,9 @@ fn sync_via_pack_service(
options: Some(options),
};
let resp = client.pack_objects(req).await
let resp = client
.pack_objects(req)
.await
.map_err(|e| format!("PackObjects: {e}"))?;
let mut stream = resp.into_inner();
@@ -200,21 +225,31 @@ fn sync_via_pack_service(
})
}
fn apply_pack_data(repo_path: &PathBuf, pack_data: &[u8]) -> Result<(), String> {
let applicator = BundleApplicator::new(repo_path.clone());
fn apply_pack_data(repo_path: &Path, pack_data: &[u8]) -> Result<(), String> {
let applicator = BundleApplicator::new(repo_path.to_path_buf());
applicator.apply_bundle(pack_data)
}
fn update_local_ref(repo_path: &PathBuf, ref_name: &str, new_oid: &str) {
fn update_local_ref(repo_path: &Path, ref_name: &str, new_oid: &str) {
if ref_name.is_empty() || new_oid.is_empty() {
return;
}
match std::process::Command::new("git")
.args(["--git-dir", &repo_path.to_string_lossy(), "update-ref", ref_name, new_oid])
.args([
"--git-dir",
&repo_path.to_string_lossy(),
"update-ref",
ref_name,
new_oid,
])
.output()
{
Ok(o) if o.status.success() => tracing::info!(ref_name = %ref_name, new_oid = %new_oid, "ref updated"),
Ok(o) => tracing::error!(ref_name = %ref_name, error = %String::from_utf8_lossy(&o.stderr), "update-ref failed"),
Ok(o) if o.status.success() => {
tracing::info!(ref_name = %ref_name, new_oid = %new_oid, "ref updated")
}
Ok(o) => {
tracing::error!(ref_name = %ref_name, error = %String::from_utf8_lossy(&o.stderr), "update-ref failed")
}
Err(e) => tracing::error!(ref_name = %ref_name, error = %e, "update-ref spawn failed"),
}
}