pktline

Documentation

Index

• func Data(pkt []byte) []byte
• func IsFlush(pkt []byte) bool
• func NewScanner(r io.Reader) *bufio.Scanner
• func PktDone() []byte
• func PktFlush() []byte
• func WriteDelim(w io.Writer) error
• func WriteFlush(w io.Writer) error
• func WriteString(w io.Writer, str string) (int, error)
• type ReadMonitor
  • func NewReadMonitor(ctx context.Context, r io.Reader) (*os.File, *ReadMonitor, error)
  • func (m *ReadMonitor) Monitor(pkt []byte, timeout time.Duration, cancelFn func())

Functions

func Data

func Data(pkt []byte) []byte

Data returns the packet pkt without its length header. The length header is not validated. Returns an empty slice when pkt is a magic packet such as '0000'.

func IsFlush

func IsFlush(pkt []byte) bool

IsFlush detects the special flush packet '0000'

func NewScanner

func NewScanner(r io.Reader) *bufio.Scanner

NewScanner returns a bufio.Scanner that splits on Git pktline boundaries

func PktDone

func PktDone() []byte

PktDone returns the bytes for a "done" packet.

func PktFlush

func PktFlush() []byte

PktFlush returns the bytes for a "flush" packet.

func WriteDelim

func WriteDelim(w io.Writer) error

WriteDelim writes a pkt delim packet.

func WriteFlush

func WriteFlush(w io.Writer) error

WriteFlush writes a pkt flush packet.

func WriteString

func WriteString(w io.Writer, str string) (int, error)

WriteString writes a string with pkt-line framing

Types

type ReadMonitor

type ReadMonitor struct {
	// contains filtered or unexported fields
}

ReadMonitor monitors an io.Reader, waiting for a specified packet. If the packet doesn't come within a timeout, a cancel function is called. This can be used to place a timeout on the *negotiation* phase of some git commands, aborting them if it is exceeded.

This timeout prevents a class of "use-after-check" security issue when the access check for a git command is run before the command itself. The user has control of stdin for the git command, and if they can delay input for an arbitrarily long time, they can gain access days or weeks after the access check has completed.

This approach is better than placing a timeout on the overall git operation because there is a conflict between mitigating the use-after-check with a short timeout, and allowing long-lived git operations to complete. The negotiation phase is a small proportion of the time taken for a large git fetch, for instance, so tighter limits can be placed on it, leading to a better mitigation.

func NewReadMonitor

func NewReadMonitor(ctx context.Context, r io.Reader) (*os.File, *ReadMonitor, error)

NewReadMonitor wraps the provided reader with an os.Pipe(), returning the read end for onward use.

Call Monitor(pkt, timeout, cancelFn) to start streaming from the reader to to the pipe. The stream will be monitored for a pktline-formatted packet matching pkt. If it isn't seen within the timeout, cancelFn will be called.

Resources will be freed when the context is done, but you should close the returned *os.File earlier if possible.

func (*ReadMonitor) Monitor

func (m *ReadMonitor) Monitor(pkt []byte, timeout time.Duration, cancelFn func())

Monitor should be called at most once. It scans the stream, looking for the specified packet, and will call cancelFn if it isn't seen within the timeout