"/" is valid char in HTTP authorization headers, but is also used in
rest-server to map usernames to private repos.
This commit prevents loading maliciously composed usernames like
"/foo/config" by restricting the allowed characters to the unicode
character class, numbers, "-", "." and "@".
Closes#131
In addition to any existing filesystem restrictions on the (www-data)
backup user these config options uses namespaces and other kernel
features to further restrict what the _rest-server_ is allowed to do.
* `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures
that the _rest-server_ is only allowed to write to its data directory.
* `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_
gets (read) access to.
* `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid
binaries, etc to escalate its privileges.
See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
for further details
While at I also replaced the _/tmp/restic_ path with a more explicit
placeholder path. Given that one rarely wants to backup to _/tmp_ I
figured it better to force a choice of path rather than to have
someone accidentally end up using _/tmp/restic_ for their backups.
Goji routes incoming requests without first URL decoding the path, so
'%2F' in a URL will not be decoded to a '/' before routing. But by the
time that we perform the path checks for private urls on r.URL.Path,
these characters have been decoded.
As a consequence, a user 'foo' could use 'foo%2Fbar' as the repo name.
The private repo check would see that the path starts with 'foo/' and
allow it, and rest-server would happily create a 'foo/bar' repo. Other
more harmful variants are possible.
To resolve this issue, we now reject any name part that contains a '/'.
Additionally, we immediately reject a few other characters that are
disallowed under some operating systems or filesystems.
The directive "StartLimitInterval" has been replaced by [StartLimitIntervalSec=interval, StartLimitBurst=burst](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval). I'd suggest that the default backoff settings are fine (in Ubuntu 19.10 no more than 5 restarts per 10 seconds, else delayed by 10 seconds per attempt) so this directive can simply be removed.
* Add --max-size flag to limit repository size
* Only update repo size on successful write
* Use initial size as current size for first SaveBlob
* Apply LimitReader to request body
* Use HTTP 413 for size overage responses
* Refactor size limiting; do checks after every write
* Remove extra commented lines, d'oh
* Account for deleting blobs when counting space usage
* Remove extra commented line
* Fix unrelated bug (inverted err check)
* Update comment to trigger new CI build
