gitlimit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: bf73bb9561bffc3078978015c021ea36ddbed380932b7da028c54d8e46177593
+  data.tar.gz: fb126e389317dc271373546b695235277b70330fed01a4a05709e41317bf5c9d
+SHA512:
+  metadata.gz: 3b5dc633ae8be51d8ca58014a34014238a277336678d9b0ce1f459bc57f947110647827be44d03d9d0f9a32f7a3c7ea68cc624237117f4b4e0d31fe9a91e2564
+  data.tar.gz: a3710ac57bdb7acd73f76afcdd167ebce6bc5df29a6d549207800273a5711ec9c5d0bd61302a4977349cd95896d120a452ba6a257976e95d7afa32dcb6c9b388

data/LICENSE

@@ -0,0 +1,14 @@
+Copyright (c) 2014 Damien Miller <djm@mindrot.org>
+Copyright (c) 2026 Chris Hasinski <krzysztof.hasinski@gmail.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

data/bin/gitlimit

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "gitlimit"
+
+Gitlimit::CLI.run

data/lib/gitlimit/access.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+module Gitlimit
+  MODE_READ  = 0b01
+  MODE_WRITE = 0b10
+
+  MODE_PARSE = {
+    "r"  => MODE_READ,
+    "w"  => MODE_WRITE,
+    "rw" => MODE_READ | MODE_WRITE,
+    "wr" => MODE_READ | MODE_WRITE
+  }.freeze
+
+  ALLOWED_COMMANDS = {
+    "git-upload-pack"  => MODE_READ,
+    "git-receive-pack" => MODE_WRITE
+  }.freeze
+
+  class AccessDenied < StandardError; end
+
+  class Access
+    attr_reader :command, :repository
+
+    def initialize(ssh_command:, mode:, permitted_repos:)
+      @mode = mode
+      @permitted_repos = permitted_repos
+      @command, @repository = parse_ssh_command(ssh_command)
+    end
+
+    def check!
+      check_command_allowed!
+      check_repo_permitted!
+      true
+    end
+
+    private
+
+    def parse_ssh_command(command_line)
+      command_line = command_line.to_s.strip
+      raise AccessDenied, "empty git command" if command_line.empty?
+
+      # SSH sends: git-upload-pack '/path/to/repo.git'
+      # The repo path is always single-quoted by the git client.
+      match = command_line.match(/\A(git-(?:upload|receive)-pack)\s+'(.*)'\z/)
+      raise AccessDenied, "invalid git command #{command_line.inspect}" unless match
+
+      command = match[1]
+      repository = match[2]
+
+      raise AccessDenied, "invalid repository #{repository.inspect}" if repository.empty?
+      raise AccessDenied, "invalid repository #{repository.inspect}" if repository.include?("'")
+      raise AccessDenied, "invalid repository #{repository.inspect}" if repository.start_with?("-")
+
+      repository = canonicalize(repository)
+
+      [command, repository]
+    end
+
+    def canonicalize(path)
+      # Collapse /./, /../, and // without touching the filesystem.
+      # This prevents path traversal like /git/../etc/shadow from
+      # bypassing an allowlist entry of /git/repo.git.
+      parts = path.split("/")
+      result = []
+
+      parts.each do |part|
+        case part
+        when "", "."
+          next
+        when ".."
+          result.pop
+        else
+          result << part
+        end
+      end
+
+      prefix = path.start_with?("/") ? "/" : ""
+      "#{prefix}#{result.join("/")}"
+    end
+
+    def check_command_allowed!
+      required_mode = ALLOWED_COMMANDS[@command]
+      raise AccessDenied, "command not permitted #{@command.inspect}" unless required_mode
+
+      return unless (@mode & required_mode).zero?
+
+      action = required_mode == MODE_READ ? "download" : "upload"
+      raise AccessDenied, "#{action} not permitted for #{@command.inspect}"
+    end
+
+    def check_repo_permitted!
+      canonical_repo = @repository
+
+      permitted = @permitted_repos.any? do |pattern|
+        pattern = canonicalize(pattern)
+        File.fnmatch?(pattern, canonical_repo, File::FNM_PATHNAME)
+      end
+
+      raise AccessDenied, "access to repository #{canonical_repo.inspect} is denied" unless permitted
+    end
+  end
+end

data/lib/gitlimit/cli.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "optparse"
+
+module Gitlimit
+  class CLI
+    def self.run(argv = ARGV, env = ENV)
+      new(argv, env).run
+    end
+
+    def initialize(argv, env)
+      @argv = argv.dup
+      @env = env
+      @mode = MODE_READ | MODE_WRITE
+      @check = false
+    end
+
+    def run
+      parse_options!
+
+      if @argv.empty?
+        abort @parser.to_s
+      end
+
+      ssh_command = @env["SSH_ORIGINAL_COMMAND"]
+      access = Access.new(ssh_command: ssh_command, mode: @mode, permitted_repos: @argv)
+      access.check!
+
+      log("permitted: #{access.command} #{access.repository}")
+
+      if @check
+        # Dry run - just report success
+        return
+      end
+
+      exec("git-shell", "-c", "#{access.command} '#{access.repository}'")
+    rescue AccessDenied => e
+      log("denied: #{e.message}")
+      abort "gitlimit: #{e.message}"
+    end
+
+    private
+
+    def parse_options!
+      @parser = OptionParser.new do |opts|
+        opts.banner = "Usage: gitlimit [flags] repository [repository ...]"
+
+        opts.on("-m MODE", "Mode: r (read-only), w (write-only), rw (default)") do |m|
+          @mode = MODE_PARSE[m]
+          abort "gitlimit: mode (-m) must be r / w / rw" unless @mode
+        end
+
+        opts.on("-c", "Check access / dry run mode") do
+          @check = true
+        end
+      end
+
+      @parser.parse!(@argv)
+    end
+
+    def log(message)
+      $stderr.puts "gitlimit: #{message}"
+    end
+  end
+end

data/lib/gitlimit/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Gitlimit
+  VERSION = "0.1.0"
+end

data/lib/gitlimit.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative "gitlimit/version"
+require_relative "gitlimit/access"
+require_relative "gitlimit/cli"

metadata

@@ -0,0 +1,51 @@
+--- !ruby/object:Gem::Specification
+name: gitlimit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Chris Hasinski
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+description: A simple tool to limit access to git repositories for SSH git clients,
+  intended to be run from authorized_keys. Supports read/write mode control, glob
+  patterns, and path canonicalization.
+email:
+- krzysztof.hasinski@gmail.com
+executables:
+- gitlimit
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- bin/gitlimit
+- lib/gitlimit.rb
+- lib/gitlimit/access.rb
+- lib/gitlimit/cli.rb
+- lib/gitlimit/version.rb
+homepage: https://github.com/khasinski/gitlimit
+licenses:
+- ISC
+metadata:
+  homepage_uri: https://github.com/khasinski/gitlimit
+  source_code_uri: https://github.com/khasinski/gitlimit
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.3
+specification_version: 4
+summary: Control access to git repositories via SSH
+test_files: []