[thirdparty/git.git] / Documentation / transfer-data-leaks.txt

SECURITY
--------
The fetch and push protocols are not designed to prevent one side from
stealing data from the other repository that was not intended to be
shared. If you have private data that you need to protect from a malicious
peer, your best option is to store it in another repository. This applies
to both clients and servers. In particular, namespaces on a server are not
effective for read access control; you should only grant read access to a
namespace to clients that you would trust with read access to the entire
repository.

The known attack vectors are as follows:

. The victim sends "have" lines advertising the IDs of objects it has that
  are not explicitly intended to be shared but can be used to optimize the
  transfer if the peer also has them. The attacker chooses an object ID X
  to steal and sends a ref to X, but isn't required to send the content of
  X because the victim already has it. Now the victim believes that the
  attacker has X, and it sends the content of X back to the attacker
  later. (This attack is most straightforward for a client to perform on a
  server, by creating a ref to X in the namespace the client has access
  to and then fetching it. The most likely way for a server to perform it
  on a client is to "merge" X into a public branch and hope that the user
  does additional work on this branch and pushes it back to the server
  without noticing the merge.)

. As in #1, the attacker chooses an object ID X to steal. The victim sends
  an object Y that the attacker already has, and the attacker falsely
  claims to have X and not Y, so the victim sends Y as a delta against X.
  The delta reveals regions of X that are similar to Y to the attacker.
Commit	Line	Data
235ec243 MM	1	SECURITY
	2	--------
	3	The fetch and push protocols are not designed to prevent one side from
	4	stealing data from the other repository that was not intended to be
	5	shared. If you have private data that you need to protect from a malicious
	6	peer, your best option is to store it in another repository. This applies
	7	to both clients and servers. In particular, namespaces on a server are not
	8	effective for read access control; you should only grant read access to a
	9	namespace to clients that you would trust with read access to the entire
	10	repository.
	11
	12	The known attack vectors are as follows:
	13
	14	. The victim sends "have" lines advertising the IDs of objects it has that
	15	are not explicitly intended to be shared but can be used to optimize the
	16	transfer if the peer also has them. The attacker chooses an object ID X
	17	to steal and sends a ref to X, but isn't required to send the content of
	18	X because the victim already has it. Now the victim believes that the
	19	attacker has X, and it sends the content of X back to the attacker
	20	later. (This attack is most straightforward for a client to perform on a
	21	server, by creating a ref to X in the namespace the client has access
	22	to and then fetching it. The most likely way for a server to perform it
	23	on a client is to "merge" X into a public branch and hope that the user
	24	does additional work on this branch and pushes it back to the server
	25	without noticing the merge.)
	26
	27	. As in #1, the attacker chooses an object ID X to steal. The victim sends
	28	an object Y that the attacker already has, and the attacker falsely
	29	claims to have X and not Y, so the victim sends Y as a delta against X.
	30	The delta reveals regions of X that are similar to Y to the attacker.