fix(git-sync): address PR #119 review — close 403/404 space-existence leak + warnings/tests/arch

Security (must-fix):
- /git smart-HTTP gate: an authenticated NON-member of a git-sync space now gets
  404 (not 403), so the 403<->404 difference can no longer be used to brute-force
  which spaces exist / have git-sync enabled. 403 is reserved for a MEMBER who
  lacks the required role (existence already known). New gate input
  userIsSpaceMember; decision-table + service specs extended.

Config (must-fix):
- Remove the dead GIT_SYNC_SSH_KEY_PATH knob (getter + validation field + two
  .env.example lines) — it had zero consumers and advertised a nonexistent push
  capability.

Stability/docs (warnings):
- Wire the lost-lock AbortSignal into runReceivePack -> git http-backend so the
  receive-pack child is killed if the per-space lock lapses mid-write.
- Raise the divergent-`docmost` (invariant §5) push refusal from info -> warn and
  surface divergentDocmost in the run status (/status).
- Comment the stale read-after-debounced-collab-write updatedAt in
  importPageMarkdown (deferred §10 loop-guard must not trust it).
- Fix the Dockerfile comment: the loader uses require.resolve + dynamic import(),
  it deliberately does NOT require('@docmost/git-sync').
- Merge the two near-identical space toggle handlers into one parameterized
  handler; add the 2 missing en-US i18n keys for the auto-merge switch (ru-RU not
  maintained for these git-sync strings, mirrored).

Tests:
- isGitSyncHttpEnabled() default-branch (unset -> isGitSyncEnabled fallback).
- agentSourceFields 'git-sync' case (source stamped, chat key omitted).
- editor-ext name-level schema contract (vendored mirror superset of editor-ext
  node/mark types) + the new shared resolver + non-member 404 gate cases.

Architecture:
- Extract resolveRequestWorkspace shared by DomainMiddleware + GitHttpService
  (the two real self-hosted/cloud copies; McpService has no cloud branch).
- Document the in-process setInterval multi-replica limitation + BullMQ/fencing
  future direction (deferred, not implemented).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
a
2026-06-27 22:47:55 +03:00
committed by claude code agent 227
parent fe4adf23a0
commit 7179f8a5b2
19 changed files with 534 additions and 84 deletions

View File

@@ -8,7 +8,11 @@
// come from WorkspaceRepo. If the handler regressed to reading
// `req.raw.workspaceId`, the happy-path fetch test below would fail (the repo
// would not be consulted and the request would 401).
import { Logger, UnauthorizedException } from '@nestjs/common';
import {
Logger,
NotFoundException,
UnauthorizedException,
} from '@nestjs/common';
import {
SpaceCaslAction,
SpaceCaslSubject,
@@ -297,6 +301,30 @@ describe('GitHttpService.handle', () => {
expect(built.backend.run).not.toHaveBeenCalled();
});
it('an authenticated NON-member of a git-sync space -> 404, NOT 403 (no existence leak)', async () => {
// createForUser throws NotFound when the user holds no role in the space (a
// non-member). The gate must return 404 — the SAME response a missing /
// sync-disabled space gives — so a 403↔404 difference cannot be used to
// brute-force which spaces exist / have git-sync enabled (the security fix).
const built = build({ abilityCan: false });
built.abilityFactory.createForUser.mockRejectedValue(
new NotFoundException('Space permissions not found'),
);
const { reply, state } = fakeReply();
const req = fakeRequest({
url: '/git/secret-space.git/info/refs?service=git-upload-pack',
method: 'GET',
authorization: basic('dev@example.com', 'pw'),
});
await built.service.handle(req, reply);
expect(built.abilityFactory.createForUser).toHaveBeenCalledTimes(1);
expect(state.statusCode).toBe(404);
expect(built.backend.run).not.toHaveBeenCalled();
expect(built.orchestrator.ingestExternalPush).not.toHaveBeenCalled();
});
it('a space that is not git-sync-enabled -> 404 (existence never revealed)', async () => {
const built = build({
space: { id: 'space-1', settings: { gitSync: { enabled: false } } },