diff options
| author | 2025-11-16 16:14:03 +0100 | |
|---|---|---|
| committer | 2025-11-16 16:14:03 +0100 | |
| commit | 57f38a2c4211d6214fa0f5b48f602d1e2c682d24 (patch) | |
| tree | 44a373d7728fc323b7cd6845dbca57cebf3cd721 | |
| parent | e6cbb6a818eab95bff112da8e4f8db3824bc4786 (diff) | |
Removed unnecessary comments and moved parsing logic into one function
| -rwxr-xr-x | src/git-run | 39 |
1 files changed, 17 insertions, 22 deletions
diff --git a/src/git-run b/src/git-run index 8afed3e..0a6ee75 100755 --- a/src/git-run +++ b/src/git-run @@ -8,23 +8,31 @@ set gitCommand set repoDir set currentUser (whoami) -function log --on-event log_event +function log --on-event log echo "$(date -Is): $argv[1..2] user=$currentUser $argv[3..] ip=$SSH_CONNECTION" >> $_LOG end -function verifyGitCommand +function parseCommand + set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX -- "$argv") + # check given git command # basic form is <git-command> '<path-to-repo>' - if test (count $argv) -ne 2 - emit log_event DENY bad_format "argv=$argv" + if test (count $matcher) -ne 2 + emit log DENY bad_format "argv=$argv" return 1 end + + # extract variables + set gitCommand $matcher[1] + + # adjust repo path to /srv/repos + set repoDir /(string join -n '/' srv repos (string split '/' $matcher[2])) end function verifyRepoJail set -l realPath (realpath $repoDir) if not string match -r -q -- "/srv/repos/.*" "$realPath" - emit log_event DENY jail_escape "realPath=$realPath" + emit log DENY jail_escape "realPath=$realPath" return 2 end end @@ -43,39 +51,26 @@ function verifyPermissions set permission [w] case '*' # this should not happend because we sanitize above the git command - emit log_event DENY unkown_git_command "gitCommand=$gitCommand" + emit log DENY unkown_git_command "gitCommand=$gitCommand" return 3 end # check for permissions if not cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$currentUser:$permission\$" - emit log_event DENY no_permissions + emit log DENY no_permissions return 4 end end # redirect stdout/stderr to file, no information to potential attacker begin - # parse command - set -l parsedCommand (string match -r -g $_GIT_VALIDATION_REGEX -- "$argv") - - verifyGitCommand $parsedCommand; or exit $status - - # extract variables - set gitCommand $parsedCommand[1] - - # adjust repo path to /srv/repos - set repoDir /(string join -n '/' srv repos (string split '/' $parsedCommand[2])) + parseCommand $argv; or exit $status - # check if realPath is in jail under /srv/repos verifyRepoJail; or exit $status - # check for permissions needed verifyPermissions; or exit $status - # info logging - emit log_event ALLOW ok "argv=$argv" + emit log ALLOW ok "argv=$argv" end &>>$_LOG -# execute parsed git command exec /usr/bin/sudo -n -u git /usr/bin/git-shell -c "$gitCommand '$repoDir'"
\ No newline at end of file |
