wip the PGP verification is happening in a sandbox!

Author: billiegoose

middleware.js

@@ -3,8 +3,7 @@ const fp = require('fs').promises
 const path = require('path')
 const url = require('url')
 const EventEmitter = require('events').EventEmitter
-const { E, indexPack, plugins, readObject, verify } = require('isomorphic-git')
-const { serveInfoRefs, serveReceivePack, parseReceivePackRequest } = require('isomorphic-git/dist/for-node/isomorphic-git/internal-apis.js')
+const { E, indexPack, plugins, readObject, verify, serveInfoRefs, serveReceivePack, parseReceivePackRequest } = require('isomorphic-git')
 const { pgp } = require('@isomorphic-git/pgp-plugin')
 
 let ee = new EventEmitter()
@@ -16,6 +15,7 @@ const chalk = require('chalk')
 const is = require('./identify-request.js')
 const parse = require('./parse-request.js')
 const { lookup, demote } = require('./lookup.js')
+const { sandbox } = require('./sandbox.js')
 
 function pad (str) {
   return (str + '    ').slice(0, 7)
@@ -27,6 +27,8 @@ function abbr (oid) {
 
 const sleep = ms => new Promise(cb => setTimeout(cb, ms))
 
+const tick = () => new Promise(cb => process.nextTick(cb))
+
 function log(req, res) {
   const color = res.statusCode > 399 ? chalk.red : chalk.green
   console.log(color(`[git-server] ${res.statusCode} ${pad(req.method)} ${req.url}`))
@@ -86,6 +88,8 @@ function factory (config) {
           filepath = `pack-${last20}.pack`
           await fp.rename(path.join(dir, oldfilepath), path.join(dir, filepath))
         }
+        const core = gitdir + '-' + String(Math.random()).slice(2, 8)
+        console.log('core', core)
         gitdir = path.join(__dirname, gitdir)
 
         // send HTTP response headers
@@ -95,19 +99,18 @@ function factory (config) {
         // index packfile
         res.write(await serveReceivePack({ type: 'print', message: 'Indexing packfile...' }))
         console.log('Indexing packfile...')
-        await sleep(1)
+        await tick()
         let currentPhase = null
         const listener = async ({ phase, loaded, total, lengthComputable }) => {
           let np = phase !== currentPhase ? '\n' : '\r'
           currentPhase = phase
           res.write(await serveReceivePack({ type: 'print', message: `${np}${phase} ${loaded}/${total}` }))
-          res.flush()
         }
         let oids
         try {
           ee.on(`${last20}:progress`, listener)
           oids = await indexPack({ fs, gitdir, dir, filepath, emitterPrefix: `${last20}:` })
-          await sleep(1)
+          await tick()
           res.write(await serveReceivePack({ type: 'print', message: '\nIndexing completed' }))
           res.write(await serveReceivePack({ type: 'unpack', unpack: 'ok' }))
         } catch (e) {
@@ -121,59 +124,18 @@ function factory (config) {
         } finally {
           ee.removeListener(`${last20}:progress`, listener)
         }
-        await sleep(1)
+        await tick()
 
         // Move packfile and index into repo
         await fp.rename(path.join(dir, filepath), path.join(gitdir, 'objects', 'pack', filepath))
         await fp.rename(path.join(dir, filepath.replace(/\.pack$/, '.idx')), path.join(gitdir, 'objects', 'pack', filepath.replace(/\.pack$/, '.idx')))
         await fp.rmdir(path.join(dir))
 
-        // Verify objects (ideally we'd do this _before_ moving it into the repo... but I think we'd need a custom 'fs' implementation with overlays)
-        res.write(await serveReceivePack({ type: 'print', message: '\nVerifying objects...\n' }))
-        let i = 0
-
-        for (const oid of oids) {
-          i++
-          res.write(await serveReceivePack({ type: 'print', message: `\rVerifying object ${i}/${oids.length}` }))
-          const { type, object } = await readObject({ gitdir, oid })
-          if (type === 'commit' || type === 'tag') {
-            const email = type === 'commit' ? object.author.email : object.tagger.email
-            res.write(await serveReceivePack({ type: 'print', message: `\nVerifying ${type} ${abbr(oid)} by ${email}: ` }))
-            let keys
-            try {
-              keys = await lookup(email) 
-            } catch (e) {
-              res.write(await serveReceivePack({ type: 'print', message: `no keys found 👎\n` }))
-              throw e
-            }
-            if (keys.length === 0) {
-              res.write(await serveReceivePack({ type: 'print', message: `no keys found 👎\n` }))
-              throw new Error(`\nSignature verification failed for ${type} ${abbr(oid)}. No PGP keys could be found for ${email}.\n`)
-            }
-            let ok = false
-            for (const key of keys) {
-              const result = await verify({ gitdir, ref: oid, publicKeys: key })
-              if (result === false) {
-                demote(email, key)
-              } else {
-                res.write(await serveReceivePack({ type: 'print', message: `signed with ${result[0]} 👍\n` }))
-                ok = true
-                break
-              }
-            }
-            if (!ok) {
-              res.write(await serveReceivePack({ type: 'print', message: `no keys matched 👎\n` }))
-              throw new Error(`\nSignature verification failed for ${type} ${abbr(oid)}. It was not signed with a key publicly associated with the email address "${email}".
-
-Learn how you can associate your GPG key with your email account using GitHub here:
-https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
-`)
-            }
-          }
-          // await sleep(1)
-        }
-
-        res.write(await serveReceivePack({ type: 'print', message: `\nVerification complete` }))
+        // Run pre-receive-hook
+        res.write(await serveReceivePack({ type: 'print', message: '\nRunning pre-receive-hook\n' }))
+        await tick()
+        const script = fs.readFileSync('./pre-receive-hook.js', 'utf8')
+        await sandbox({ core, dir, gitdir, res, oids, script })
 
         // refs
         for (const update of updates) {
@@ -185,14 +147,6 @@ https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-
       } catch (e) {
         if (e.message === 'Client is done') {
           res.statusCode = 200
-        } else if (e.code && e.code === E.NoSignatureError) {
-          res.write(await serveReceivePack({ type: 'print', message: `no signature 👎\n` }))
-          res.write(await serveReceivePack({ type: 'error', message: e.message + `
-
-This server's policy is to only accept GPG-signed commits.
-Learn how you can create a GPG key and configure git to sign commits here:
-https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
-` }))
         } else {
           res.write(await serveReceivePack({ type: 'error', message: e.message }))
         }

package-lock.json

@@ -22,7 +22,8 @@
     "micro-cors": "^0.1.1",
     "minimisted": "^2.0.0",
     "simple-get": "^3.1.0",
-    "tree-kill": "^1.2.0"
+    "tree-kill": "^1.2.0",
+    "vm2": "^3.8.4"
   },
   "publishConfig": {
     "access": "public"

package.json

@@ -0,0 +1,73 @@
+(async () => {
+  console.log('Wish me luck!')
+
+  function abbr (oid) {
+    return oid.slice(0, 7)
+  }
+
+  // Verify objects (ideally we'd do this _before_ moving it into the repo... but I think we'd need a custom 'fs' implementation with overlays)
+  console.log('\nVerifying objects...\n')
+  let i = 0
+
+  for (const oid of oids) {
+    i++
+    console.log(`\rVerifying object ${i}/${oids.length}`)
+    const { type, object } = await git.readObject({ oid })
+    if (type === 'commit' || type === 'tag') {
+      const email = type === 'commit' ? object.author.email : object.tagger.email
+      console.log(`\nVerifying ${type} ${abbr(oid)} by ${email}: `)
+      let keys
+      try {
+        keys = await pgp.lookup(email) 
+      } catch (e) {
+        console.fatal(`no keys found 👎\n`)
+        return
+      }
+      if (keys.length === 0) {
+        console.log(`no keys found 👎\n`)
+        console.fatal(`\nSignature verification failed for ${type} ${abbr(oid)}. No PGP keys could be found for ${email}.\n`)
+        return
+      }
+      let ok = false
+      for (const key of keys) {
+        let result
+        try {
+          result = await git.verify({ ref: oid, publicKeys: key })
+        } catch (e) {
+          if (e.code && e.code === git.E.NoSignatureError) {
+            console.log(`no signature 👎\n`)
+            console.fatal(e.message + `
+  
+  This server's policy is to only accept GPG-signed commits.
+  Learn how you can create a GPG key and configure git to sign commits here:
+  https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
+  `)
+            return
+          } else {
+            console.fatal(e.message)
+            return
+          }
+        }
+        if (result === false) {
+          pgp.demote(email, key)
+        } else {
+          console.log(`signed with ${result[0]} 👍\n`)
+          ok = true
+          break
+        }
+      }
+      if (!ok) {
+        console.log(`no keys matched 👎\n`)
+        console.fatal(`\nSignature verification failed for ${type} ${abbr(oid)}. It was not signed with a key publicly associated with the email address "${email}".
+
+Learn how you can associate your GPG key with your email account using GitHub here:
+https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
+`)
+        return
+      }
+    }
+  }
+
+  console.log(`\nVerification complete`)
+  done()
+})()

pre-receive-hook.js

@@ -0,0 +1,82 @@
+const fs = require('fs')
+const EventEmitter = require('events').EventEmitter
+
+const { VM, VMScript } = require('vm2');
+const git = require('isomorphic-git')
+const { pgp } = require('@isomorphic-git/pgp-plugin')
+
+const { lookup, demote } = require('./lookup.js')
+
+const curry = ({ core, dir, gitdir }) => fn => argObject => fn({ ...argObject, core, dir, gitdir })
+
+const sandbox = ({ core, dir, gitdir, res, script, oids }) => {
+  let ee = new EventEmitter()
+  plugincore = git.cores.create(core)
+  plugincore.set('emitter', ee)
+  plugincore.set('fs', fs)
+  plugincore.set('pgp', pgp)
+
+  const $ = curry({ core, dir, gitdir })
+  const $git = {
+    E: { ...git.E },
+    eventEmitter: ee,
+    expandOid: $(git.expandOid),
+    expandRef: $(git.expandRef),
+    findMergeBase: $(git.findMergeBase),
+    getRemoteInfo: $(git.getRemoteInfo),
+    hashBlob: $(git.hashBlob),
+    isDescendent: $(git.isDescendent),
+    listBranches: $(git.listBranches),
+    listFiles: $(git.listFiles),
+    listRemotes: $(git.listRemotes),
+    listTags: $(git.listTags),
+    log: $(git.log),
+    readObject: $(git.readObject),
+    resolveRef: $(git.resolveRef),
+    serveReceivePack: $(git.serveReceivePack),
+    verify: $(git.verify),
+    walkBeta2: $(git.walkBeta2),
+  }
+  const $res = {
+    write: res.write.bind(res)
+  }
+
+  return new Promise((resolve, reject) => {
+    const $console = {
+      log: async (...args) => {
+        res.write(await git.serveReceivePack({ type: 'print', message: args.join() }))
+      },
+      fatal: (...args) => {
+        reject(new Error(args.join()))
+      }
+    }
+    const vm = new VM({
+      timeout: 10000,
+      eval: false,
+      wasm: false,
+      sandbox: {
+        git: $git,
+        pgp: { lookup, demote },
+        done: resolve,
+        console: $console,
+        oids
+      }
+    });
+    try {
+      script = new VMScript(script).compile();
+    } catch (err) {
+      reject(err);
+    }
+    try {
+      vm.run(script);
+    } catch (e) {
+      reject(e);
+    }
+  })
+
+}
+
+module.exports = {
+  sandbox
+}
+// console.log(runVM({ core: 'default', dir: '', gitdir: '', script: `String(Object.keys(git))` }))