New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 10201 link

Starred by 1 user

Issue metadata

Status: Submitted
Owner:
Closed: Dec 20
Cc:
Components:



Sign in to add a comment

All refs visible to all users when using Git protocol v2

Project Member Reported by luca.mil...@gmail.com, Dec 20

Issue description

Enabling git protocol v2 in Gerrit 2.16 makes all refs visible to all users, regardless of the ACL configuration, giving an attacker the complete access to of all branches, tags and meta-data refs, their associated commit SHA1s and the ability to fetch them locally.

Confidentiality Impact (High. Providing the full list of refs to any user that has access to the repository could disclose sensitive and confidential information to unauthorized users)
Integrity Impact: None.
Availability Impact: None.
Access Complexity: Low. (It is enough to have the ability to access one repository to have access to all refs)
Authentication: Single system. (The vulnerability requires an attacker to be registered and have access into the system using the Git protocol)
Gained Access: None.

Description:
The Git protocol v2 is flagged as experimental and not available by default in Gerrit v2.16 and not implemented in earlier versions. However, if explicitly enabled in the gerrit.config, allows any user that has access to a project to list and fetch any refs associated to it, regardless of its actual access permissions.
Gerrit ACLs are enforced using the JGit's AdvertiseRefsHook which calls RefFilter. The AdvertiseRefsHook is usually set by UploadPack.setAdvertiseRefsHook but, if Gerrit has the protocol v2 enabled in the gerrit.config and the client is leveraging the git protocol v2 feature, the hook is not invoked.
As a result of these Gerrit permissions defined in the ACLs are entirely ignored, and every user can see the names and associated SHA1s of all refs from a git client using 'git fetch' and 'git ls-remote'.

Remediation:
On Gerrit v2.16 and v2.16.1, disable any reference to the Git protocol v2, if configured enabled in the gerrit.config.

Example:
[receive]
  enableProtocolV2 = false

Upgrade to v2.16.2 whenever possible, where the Git protocol v2 is always disabled.
 
Project Member

Comment 1 by luca.mil...@gmail.com, Dec 20

Description: Show this description
Project Member

Comment 2 by ekempin@google.com, Dec 20

Labels: -NonPublic
Project Member

Comment 3 by luca.mil...@gmail.com, Dec 21

The first fix was submitted (disabling the V2 protocol) and this issue has been mitigated. However, we can't say that is fixed until the final fix is landing to the codebase. 
Project Member

Comment 4 by thomasmu...@yahoo.com, Jan 7

When will git protocol v2 be re enabled?

Sign in to add a comment