pygit2 icon indicating copy to clipboard operation
pygit2 copied to clipboard
verified publisher icon libgit2

DoS on wrong password

Open 4s1 opened this issue 9 years ago • 2 comments

As discussed in upstream bug report saltstack/salt#38230 pygit2 tries to authenticate indefinite with wrong credentials instead of failing after two consecutive failures with same authentication token as specified by https://tools.ietf.org/html/rfc7235#section-3.1 Possible a libgit2 Bug if it's reproducable with other language bindings.

Testcase:

nginx dummy server configuration

This is just a stub configuration, no real repository needed

location ~ /git(/.*) {
        add_header "WWW-Authenticate" "Basic realm=\"Closed Areas\"" always;
        return 401;
    }

test client

#!/bin/python2.7

import pygit2

username = 'dummyUser'
password = 'dummyPassword'
credentials = pygit2.UserPass(username, password)
callbacks = pygit2.RemoteCallbacks(credentials)
pygit2.clone_repository("http://git.demo.local/git/test.git", "test.git", bare=True, callbacks=callbacks)

4s1 avatar Dec 27 '16 11:12 4s1

I'm seeing the same problem, even with the latest version (1.10.1 at the time of this writing) of pygit2. Did you solve this?

iaswtw avatar Sep 08 '22 17:09 iaswtw

Sorry, I'm no longer using salt with remote git.

4s1 avatar Nov 22 '22 18:11 4s1