fix(git-sync): address PR #119 review — close 403/404 space-existence leak + warnings/tests/arch
Security (must-fix):
- /git smart-HTTP gate: an authenticated NON-member of a git-sync space now gets
404 (not 403), so the 403<->404 difference can no longer be used to brute-force
which spaces exist / have git-sync enabled. 403 is reserved for a MEMBER who
lacks the required role (existence already known). New gate input
userIsSpaceMember; decision-table + service specs extended.
Config (must-fix):
- Remove the dead GIT_SYNC_SSH_KEY_PATH knob (getter + validation field + two
.env.example lines) — it had zero consumers and advertised a nonexistent push
capability.
Stability/docs (warnings):
- Wire the lost-lock AbortSignal into runReceivePack -> git http-backend so the
receive-pack child is killed if the per-space lock lapses mid-write.
- Raise the divergent-`docmost` (invariant §5) push refusal from info -> warn and
surface divergentDocmost in the run status (/status).
- Comment the stale read-after-debounced-collab-write updatedAt in
importPageMarkdown (deferred §10 loop-guard must not trust it).
- Fix the Dockerfile comment: the loader uses require.resolve + dynamic import(),
it deliberately does NOT require('@docmost/git-sync').
- Merge the two near-identical space toggle handlers into one parameterized
handler; add the 2 missing en-US i18n keys for the auto-merge switch (ru-RU not
maintained for these git-sync strings, mirrored).
Tests:
- isGitSyncHttpEnabled() default-branch (unset -> isGitSyncEnabled fallback).
- agentSourceFields 'git-sync' case (source stamped, chat key omitted).
- editor-ext name-level schema contract (vendored mirror superset of editor-ext
node/mark types) + the new shared resolver + non-member 404 gate cases.
Architecture:
- Extract resolveRequestWorkspace shared by DomainMiddleware + GitHttpService
(the two real self-hosted/cloud copies; McpService has no cloud branch).
- Document the in-process setInterval multi-replica limitation + BullMQ/fencing
future direction (deferred, not implemented).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -111,6 +111,7 @@ describe('decideGitHttpGate', () => {
|
||||
gitHttpEnabled: true,
|
||||
spaceExists: true,
|
||||
spaceGitSyncEnabled: true,
|
||||
userIsSpaceMember: true,
|
||||
permissionGranted: true,
|
||||
};
|
||||
|
||||
@@ -160,16 +161,43 @@ describe('decideGitHttpGate', () => {
|
||||
});
|
||||
});
|
||||
|
||||
it('403 when authenticated but lacking the required permission (reader on write)', () => {
|
||||
it('403 when a MEMBER lacks the required permission (reader on write)', () => {
|
||||
// A member of the space (existence already known to them) who lacks the role:
|
||||
// 403 leaks nothing new.
|
||||
expect(
|
||||
decideGitHttpGate({
|
||||
...base,
|
||||
serviceKind: 'write',
|
||||
userIsSpaceMember: true,
|
||||
permissionGranted: false,
|
||||
}),
|
||||
).toEqual({ kind: 'forbidden' });
|
||||
});
|
||||
|
||||
it('404 (NOT 403) when an authenticated NON-member hits a git-sync space', () => {
|
||||
// SECURITY: a non-member must be indistinguishable from a missing/disabled
|
||||
// space. If this returned 403, the 403↔404 difference would let any
|
||||
// authenticated workspace user brute-force slugs to discover which spaces
|
||||
// exist and which have git-sync enabled.
|
||||
expect(
|
||||
decideGitHttpGate({
|
||||
...base,
|
||||
serviceKind: 'write',
|
||||
userIsSpaceMember: false,
|
||||
permissionGranted: false,
|
||||
}),
|
||||
).toEqual({ kind: 'not-found' });
|
||||
// Same for a read by a non-member.
|
||||
expect(
|
||||
decideGitHttpGate({
|
||||
...base,
|
||||
serviceKind: 'read',
|
||||
userIsSpaceMember: false,
|
||||
permissionGranted: false,
|
||||
}),
|
||||
).toEqual({ kind: 'not-found' });
|
||||
});
|
||||
|
||||
it('still 401 (not 404) for missing creds against a disabled space', () => {
|
||||
// Anonymous probe must always get 401 first, regardless of space state.
|
||||
expect(
|
||||
|
||||
Reference in New Issue
Block a user