upstream/mercurial-mirror Files · hgext/fsmonitor/watchmanclient.py

dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...

dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

zphricz - - Load All Authors

File last commit:

r30649:b0a0f7b9 default


                r32050:77eaf953

4.1.3 stable

Download file

             watchmanclient.py
        
                    109 lines
            
             | 3.4 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / hgext / fsmonitor / watchmanclient.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      # watchmanclient.py - Watchman client for the fsmonitor extension

      #

      # Copyright 2013-2016 Facebook, Inc.

      #

      # This software may be used and distributed according to the terms of the

      # GNU General Public License version 2 or any later version.

      from __future__ import absolute_import

      import getpass

      from mercurial import util

      from . import pywatchman

      class Unavailable(Exception):

          def __init__(self, msg, warn=True, invalidate=False):

              self.msg = msg

              self.warn = warn

              if self.msg == 'timed out waiting for response':

                  self.warn = False

              self.invalidate = invalidate

          def __str__(self):

              if self.warn:

                  return 'warning: Watchman unavailable: %s' % self.msg

              else:

                  return 'Watchman unavailable: %s' % self.msg

      class WatchmanNoRoot(Unavailable):

          def __init__(self, root, msg):

              self.root = root

              super(WatchmanNoRoot, self).__init__(msg)

      class client(object):

          def __init__(self, repo, timeout=1.0):

              err = None

              if not self._user:

                  err = "couldn't get user"

                  warn = True

              if self._user in repo.ui.configlist('fsmonitor', 'blacklistusers'):

                  err = 'user %s in blacklist' % self._user

                  warn = False

              if err:

                  raise Unavailable(err, warn)

              self._timeout = timeout

              self._watchmanclient = None

              self._root = repo.root

              self._ui = repo.ui

              self._firsttime = True

          def settimeout(self, timeout):

              self._timeout = timeout

              if self._watchmanclient is not None:

                  self._watchmanclient.setTimeout(timeout)

          def getcurrentclock(self):

              result = self.command('clock')

              if not util.safehasattr(result, 'clock'):

                  raise Unavailable('clock result is missing clock value',

                                    invalidate=True)

              return result.clock

          def clearconnection(self):

              self._watchmanclient = None

          def available(self):

              return self._watchmanclient is not None or self._firsttime

          @util.propertycache

          def _user(self):

              try:

                  return getpass.getuser()

              except KeyError:

                  # couldn't figure out our user

                  return None

          def _command(self, *args):

              watchmanargs = (args[0], self._root) + args[1:]

              try:

                  if self._watchmanclient is None:

                      self._firsttime = False

                      self._watchmanclient = pywatchman.client(

                          timeout=self._timeout,

                          useImmutableBser=True)

                  return self._watchmanclient.query(*watchmanargs)

              except pywatchman.CommandError as ex:

                  if 'unable to resolve root' in ex.msg:

                      raise WatchmanNoRoot(self._root, ex.msg)

                  raise Unavailable(ex.msg)

              except pywatchman.WatchmanError as ex:

                  raise Unavailable(str(ex))

          def command(self, *args):

              try:

                  try:

                      return self._command(*args)

                  except WatchmanNoRoot:

                      # this 'watch' command can also raise a WatchmanNoRoot if

                      # watchman refuses to accept this root

                      self._command('watch')

                      return self._command(*args)

              except Unavailable:

                  # this is in an outer scope to catch Unavailable form any of the

                  # above _command calls

                  self._watchmanclient = None

                  raise

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				# watchmanclient.py - Watchman client for the fsmonitor extension
				#
				# Copyright 2013-2016 Facebook, Inc.
				#
				# This software may be used and distributed according to the terms of the
				# GNU General Public License version 2 or any later version.

				from __future__ import absolute_import

				import getpass

				from mercurial import util

				from . import pywatchman

				class Unavailable(Exception):
				def __init__(self, msg, warn=True, invalidate=False):
				self.msg = msg
				self.warn = warn
				if self.msg == 'timed out waiting for response':
				self.warn = False
				self.invalidate = invalidate

				def __str__(self):
				if self.warn:
				return 'warning: Watchman unavailable: %s' % self.msg
				else:
				return 'Watchman unavailable: %s' % self.msg

				class WatchmanNoRoot(Unavailable):
				def __init__(self, root, msg):
				self.root = root
				super(WatchmanNoRoot, self).__init__(msg)

				class client(object):
				def __init__(self, repo, timeout=1.0):
				err = None
				if not self._user:
				err = "couldn't get user"
				warn = True
				if self._user in repo.ui.configlist('fsmonitor', 'blacklistusers'):
				err = 'user %s in blacklist' % self._user
				warn = False

				if err:
				raise Unavailable(err, warn)

				self._timeout = timeout
				self._watchmanclient = None
				self._root = repo.root
				self._ui = repo.ui
				self._firsttime = True

				def settimeout(self, timeout):
				self._timeout = timeout
				if self._watchmanclient is not None:
				self._watchmanclient.setTimeout(timeout)

				def getcurrentclock(self):
				result = self.command('clock')
				if not util.safehasattr(result, 'clock'):
				raise Unavailable('clock result is missing clock value',
				invalidate=True)
				return result.clock

				def clearconnection(self):
				self._watchmanclient = None

				def available(self):
				return self._watchmanclient is not None or self._firsttime

				@util.propertycache
				def _user(self):
				try:
				return getpass.getuser()
				except KeyError:
				# couldn't figure out our user
				return None

				def _command(self, *args):
				watchmanargs = (args[0], self._root) + args[1:]
				try:
				if self._watchmanclient is None:
				self._firsttime = False
				self._watchmanclient = pywatchman.client(
				timeout=self._timeout,
				useImmutableBser=True)
				return self._watchmanclient.query(*watchmanargs)
				except pywatchman.CommandError as ex:
				if 'unable to resolve root' in ex.msg:
				raise WatchmanNoRoot(self._root, ex.msg)
				raise Unavailable(ex.msg)
				except pywatchman.WatchmanError as ex:
				raise Unavailable(str(ex))

				def command(self, *args):
				try:
				try:
				return self._command(*args)
				except WatchmanNoRoot:
				# this 'watch' command can also raise a WatchmanNoRoot if
				# watchman refuses to accept this root
				self._command('watch')
				return self._command(*args)
				except Unavailable:
				# this is in an outer scope to catch Unavailable form any of the
				# above _command calls
				self._watchmanclient = None
				raise