search

libgit2 / pygit2

Python bindings for libgit2
https://www.pygit2.org/
Other
1.62k stars 387 forks source link

DoS on wrong password #683

Open 4s1 opened 7 years ago

4s1 commented 7 years ago

As discussed in upstream bug report saltstack/salt#38230 pygit2 tries to authenticate indefinite with wrong credentials instead of failing after two consecutive failures with same authentication token as specified by https://tools.ietf.org/html/rfc7235#section-3.1 Possible a libgit2 Bug if it's reproducable with other language bindings.

Testcase:

nginx dummy server configuration

This is just a stub configuration, no real repository needed

location ~ /git(/.*) {
        add_header "WWW-Authenticate" "Basic realm=\"Closed Areas\"" always;
        return 401;
    }

test client

#!/bin/python2.7

import pygit2

username = 'dummyUser'
password = 'dummyPassword'
credentials = pygit2.UserPass(username, password)
callbacks = pygit2.RemoteCallbacks(credentials)
pygit2.clone_repository("http://git.demo.local/git/test.git", "test.git", bare=True, callbacks=callbacks)
iaswtw commented 2 years ago

I'm seeing the same problem, even with the latest version (1.10.1 at the time of this writing) of pygit2. Did you solve this?

4s1 commented 1 year ago

Sorry, I'm no longer using salt with remote git.