progrium / gitreceive Goto Github PK
View Code? Open in Web Editor NEWEasily accept and handle arbitrary git pushes
Easily accept and handle arbitrary git pushes
Great job on gitreceive, Jeff.
I'm trying to run it on CoreOS and have trouble with this line: https://github.com/progrium/gitreceive/blob/master/gitreceive#L47 because it uses perl, which isn't installed on CoreOS out of the box.
Of course you needn't support every OS under the sun, but if you could explain what this perl regex is doing then I could find another way of doing it. It's beyond my regex skills!
For now, locally, I've replaced the whole line with simply:
export RECEIVE_REPO="$(echo $SSH_ORIGINAL_COMMAND | awk '{print $2}' | sed s/\'//g)"
...but I'm sure you have your reasons for writing what you did.
The URL for requestb.in seems to have expired - was this section for initial testing purposes and is it needed now?
This is a security-related bug
The name of the repos can contain sequences such as ../
, which allows the repositories to be stored outside the $GITHOME
directory.
For example, the command git clone [email protected]:../../tmp/foo
creates the repo in the directory /tmp/foo
(with default configuration).
Also, one could create a repo named foo
, then someone else a repo named foo/bar
, which will completely hides the existence of the second repo. Also, replace bar
for refs
and you have an other error.
The solution is to filter the allowed repository name and/or to escape them.
The following code is to be changed:
parse_repo_from_ssh_command() {
awk '{print $2}' | perl -pe 's/(?<!\\)'\''//g' | sed 's/\\'\''/'\''/g' | strip_root_slash
}
However, I don't have the perl knowledge to be sure to understand the code already, so I leave the fix to others.
Here is my suggestion:
/
in the repo name. Exit right away with an error message if there is.ls $GITHOME
will show all repos.Edit: Not allowing /
in the repo name may be asking for too much (e.g. can not use user/something
as repo names a la GitHub). Alternatively, we could replace /
for some character (-
? _
? a space?), but this may lead to conflicts (e.g. user/something
and user-something
would be the same repo).
I will happily review commits aiming at fixing this flaw, provided they don't use any perl (as I don't have any knowledge in the area).
I really like the idea of having repos created when pushed to -- nice work!
One thing that's hanging me up, though, is when I try to upload a key. The git user's authorized_keys
file is writable only by git, as I understand is required by ssh. Therefore when I run
cat ~/.ssh/id_rsa.pub | sijk@server 'gitreceive upload-key sijk'
I get a permission denied error. From my understanding of ssh etc. I don't see how it could possibly work, but presumably it works for you...?
Somehow I forgot about this behavior - sshd will reject all logins to git
due to a=rw
on ~git/.ssh/authorized_keys
:
Jul 4 13:40:32 du sshd[3742]: Authentication refused: bad ownership or modes for file /home/git/.ssh/authorized_keys
There are three ways one could go about this:
git
user and use it to upload keys. Adding their key could conflict if the user uses the same key to push, but I dislike the idea of requiring password authentication only.StrictModes no
in /etc/ssh/sshd_config
Thoughts?
Hi!
How would you handle submodules then? I have submodules in my project, but on the server in the receive
script I cannot checkout the submodules as this is a front-end server and should not have access to our git repositories.
Any idea on how to manage this?
Would it be possible to get gitreceive to run on a Mac?
If yes, can you maybe point out some of the things that would have to be changed?
Thanks
From build 14:
# fatal: 'test-2' does not appear to be a git repository
# fatal: The remote end hung up unexpectedly
The test failed but was perceived as a success
I'm not sure if it'd be good to add to the core functionality, but do you think it may be useful to mention it in the docs?
I just source /etc/profile
in the receive.sh to resolve this.
Git receive places the receive pack in a quarantined directory.
It's not possible to update any refs in this directory. This breaks build scripts that fetches from other git repos.
More information about the changes is here:
https://git-scm.com/docs/git-receive-pack#_quarantine_environment
git/git@722ff7f
I get
sudo: no tty present and no askpass program specified
when I try to
cat ~/.ssh/id_rsa.pub | ssh [user]@[domainname] "sudo gitreceive upload-key myname"
It seems that gitreceive cannot receive tags. Every time tag is pushed I get:
! [remote rejected] fix.1 -> fix.1 (pre-receive hook declined)
This seems to happen before receiver script is even called.
Hey,
I've followed the README and have this setup as instructed however whenever I try to push to it I end up getting the following error.
$ git push demo master
Counting objects: 3, done.
Writing objects: 100% (3/3), 225 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To [email protected]:hello_world
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to '[email protected]:hello_world'
So I've checked the remotes (and they look fine)
$ git remote -v
demo [email protected]:hello_world (fetch)
demo [email protected]:hello_world (push)
The weirdest thing though is that the repository is created where it should be.
$ pwd
/home/git
$ ls -la
total 36
drwxr-xr-x 8 git root 4096 Jan 21 08:43 .
drwxr-xr-x 5 root root 4096 Jan 21 08:13 ..
drwx------ 2 git git 4096 Jan 21 08:19 .cache
drwxr-xr-x 2 git root 4096 Jan 21 08:36 .ssh
drwxrwxr-x 7 git git 4096 Jan 21 08:38 hello_world
-rwxr-xr-x 1 git root 232 Jan 21 08:13 receiver
So I am a little stumped as to what to be the cause here? Here is my authorized_keys
file incase it helps.
$ cat /home/git/.ssh/authorized_keys
command="GITUSER=git /usr/bin/gitreceive run jacob cc:a8:cc:d5:87:02:42:1b:19:25:36:d5:75:ec:f2:dc",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1<redacted>sagHzeOkAX4BztXEQBhLCTRixlVaWH [email protected]
Good afternoon,
I am very new to git, cloud and deployment. Is it possible to easily create a tunnel between local computer and a coreOs machine (hosted by digital ocean), and remotely push golang source code to the cloud, automatically build the binary at reception, start a docker container running this binary (webapp) and delete source code to secure the app?
not sure if this is outside of the scope of gitreceive - but is there any way to save repositories when they're pushed to me to specific folders? so even if the remote is set up as:
git remote add demo [email protected]:example
... I can still save the repo in a folder besides /git/example ? maybe this would be some sort of processing done in a hook?
I'm trying to put together a simple "gitreceive" docker service, that when pushed a repo will build the docker image and publish it to a docker repository.
I'm just currently trying to get gitreceive to accept a pushed git repo.
https://github.com/NigelThorne/dockerfiles/tree/master/gitreceive-dockerbuilder
I'm getting the following error..
tzm-mac:xxx nwt$ git push gr master
Counting objects: 3, done.
Writing objects: 100% (3/3), 208 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To ssh://[email protected]:34567/xxx
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://[email protected]:34567/xxx'
To recreate this...
I build and ran my docker project
docker build -t gitreceive .
docker run -p 34567:22 -d --name gitreceive gitreceive
push ssh key to server
chmod 600 sshkey
cat ~/.ssh/id_rsa.pub | ssh -i sshkey [email protected] -p 34567 "gitreceive upload-key nwt"
Then make a repo
mkdir xxx
cd xxx
git init .
echo test > test.txt
git add .
git commit -m "initial commit"
git remote add gr ssh://[email protected]:32768/xxx
git push gr master
ERROR
Thanks for your time and guidance.
Git now supports push-to-deploy without the need for a bare repo, update script?
When I use the mkdir -p /some/path && cat | tar -x -C /some/path
command specified in the documentation I get an unexpected result. My code is in place, but at the root of my project I also get
drwxr-xr-x 2 git git 4096 2014-05-31 20:44 branches
-rw-r--r-- 1 git git 66 2014-05-31 20:44 config
-rw-r--r-- 1 git git 73 2014-05-31 20:44 description
-rw-r--r-- 1 git git 23 2014-05-31 20:44 HEAD
drwxr-xr-x 2 git git 4096 2014-05-31 20:44 hooks
drwxr-xr-x 2 git git 4096 2014-05-31 20:44 info
...and a few more. i.e. some low-level git info that I'm not used to seeing in my repo.
Is this expected behavior or did I do something wrong? I don't see that it'll do any harm, but I'm always a bit spooked by the unexpected while coding.
Thanks, and great project!
If someone sets a custom GITUSER, shouldn't everything that uses $SELF use that $GITUSER as well?
The two cases that I see are KEY_PREFIX and when running hook.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.