Stowage/rest-server
2
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-10-19 07:33:21 +00:00
Code Issues Projects Releases Packages Wiki Activity
262 commits 6 branches 14 tags 6.6 MiB
Commit graph

262 commits

This branch
This branch
All branches
Author SHA1 Message Date
Konrad Wojas
f8e774393c Stricter path sanitization 
Goji routes incoming requests without first URL decoding the path, so
'%2F' in a URL will not be decoded to a '/' before routing. But by the
time that we perform the path checks for private urls on r.URL.Path,
these characters have been decoded.

As a consequence, a user 'foo' could use 'foo%2Fbar' as the repo name.
The private repo check would see that the path starts with 'foo/' and
allow it, and rest-server would happily create a 'foo/bar' repo. Other
more harmful variants are possible.

To resolve this issue, we now reject any name part that contains a '/'.

Additionally, we immediately reject a few other characters that are
disallowed under some operating systems or filesystems.
 2020-09-13 11:19:26 +02:00
Alexander Neumann
6367043b2c Also run linters and tests on PRs 2020-09-13 11:16:17 +02:00
Alexander Neumann
6e44ec0763 Replace Travis with GitHub Actions 2020-09-13 11:13:35 +02:00
Alexander Neumann
06f8484400 Docker: Don't delete htpasswd file 2020-09-12 17:28:18 +02:00
Alexander Neumann
1629c824c9 Add config for GitHub 2020-09-12 17:02:11 +02:00
Leo R. Lundgren
fd635e3965 Merge branch 'jtagcat-issue-template' based on pull request #105 from jtagcat/master 2020-05-06 15:00:49 +02:00
jtagcat
8300e75c77 Issue templates: how to get version using docker 2020-05-06 14:56:06 +02:00
rawtaz
f9fcc40305
Merge pull request #101 from ProactiveServices/patch-1 
Update systemd unit file to current standards
 2020-04-12 20:24:34 +02:00
rawtaz
fcf9220630
Add maintaner edit checkbox to PR template 2020-04-12 19:51:03 +02:00
Adam Piggott
c74c36e175 Tweak systemd unit file 
The directive "StartLimitInterval" has been replaced by [StartLimitIntervalSec=interval, StartLimitBurst=burst](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval). I'd suggest that the default backoff settings are fine (in Ubuntu 19.10 no more than 5 restarts per 10 seconds, else delayed by 10 seconds per attempt) so this directive can simply be removed.
 2020-04-12 18:29:39 +01:00
Leo R. Lundgren
b7b5d32538 doc: Fix incorrect URL for private repos in README.md 2020-04-12 14:30:42 +02:00
Alexander Neumann
3fcbbc7b65 Merge pull request #106 from restic/remove-vendor 
Remove vendored dependencies
 2020-04-04 21:24:41 +02:00
Alexander Neumann
27264c0a7a Fix changelog template 2020-04-04 21:13:07 +02:00
Alexander Neumann
c69d473fa5 Add changelog 2020-04-04 21:13:07 +02:00
Alexander Neumann
687804a02b Update README, require Go >= 1.11 2020-04-04 21:13:07 +02:00
Alexander Neumann
59afaed1a6 Update Travis 2020-04-04 21:13:07 +02:00
Alexander Neumann
9ae066589d Fix build.go 2020-04-04 20:41:32 +02:00
Alexander Neumann
46fd57c36e Remove vendored dependencies 2020-04-04 20:41:24 +02:00
Alexander Neumann
0cfe4320c0 Update Go version for Travis 2020-02-26 21:35:20 +01:00
Alexander Neumann
f3408b3e46 Convert to Go Modules 2020-02-26 21:34:33 +01:00
rawtaz
d9757b2022
Update PR template to encourage preceding issues. 2019-12-26 20:52:04 +01:00
rawtaz
35e3a30949
Merge pull request #81 from qbit/reload 
Reload htpasswd on SIGHUP
 2019-12-19 00:32:23 +01:00
rawtaz
947374fbfb
Merge pull request #86 from rafacouto/bugfix-issue#85 
Fix docker create_user script error when reading password from command line.
 2019-12-18 23:55:23 +01:00
Rafa Couto
13cae78c8f Patch to issue #85 (Docker create_user script error when reading password as argument). 2019-12-18 23:53:36 +01:00
rawtaz
a48d6947d9
Merge pull request #98 from rawtaz/95-templates 
Add templates for bug and feature issues as well as PRs.
 2019-12-18 23:19:20 +01:00
rawtaz
9a62754e15
Merge pull request #97 from rawtaz/96-persist-unreleased 
Add .gitkeep to persist changelog/unreleased/ when empty.
 2019-12-18 23:18:36 +01:00
Leo R. Lundgren
527c7ab1c8 Add templates for bug and feature issues as well as PRs. 2019-12-18 23:17:13 +01:00
Leo R. Lundgren
6ebedcc0b2 Add .gitkeep to persist changelog/unreleased/ when empty. 2019-12-18 23:14:09 +01:00
Aaron Bieber
f18a5c16be
reload htpasswd on SIGHUP 2019-03-04 16:55:29 -07:00
Matt Holt
a87d968870
Add --max-size flag to limit size of repositories (#72) 
* Add --max-size flag to limit repository size

* Only update repo size on successful write

* Use initial size as current size for first SaveBlob

* Apply LimitReader to request body

* Use HTTP 413 for size overage responses

* Refactor size limiting; do checks after every write

* Remove extra commented lines, d'oh

* Account for deleting blobs when counting space usage

* Remove extra commented line

* Fix unrelated bug (inverted err check)

* Update comment to trigger new CI build
 2018-06-14 15:53:29 -06:00
Alexander Trost
6f412e6a8a Exclude /metrics path from private repos check (#69) 
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
 2018-06-14 15:53:12 -06:00
Alexander Neumann
420b1d3ee8 Merge pull request #67 from mholt/master 
Refactor handlers: make Config not global
 2018-06-11 22:04:33 +02:00
Alexander Neumann
9cda1814b6 Update URL for Travis 2018-05-08 20:42:24 +02:00
Matthew Holt
df3b6aa1cf Rename Config to Server and use singular one in main 2018-04-15 08:31:50 -06:00
Matthew Holt
b98c171644 Refactor handlers: make Config not global 2018-04-12 19:55:44 -06:00
Alexander Neumann
7dd5483ea3 Merge pull request #64 from restic/fix-append-only 
Security: Refuse overwriting the config file in append-only mode
 2018-04-02 13:25:46 +02:00
Alexander Neumann
0f4f747b74 Add entry to changelog 2018-04-02 13:09:37 +02:00
Alexander Neumann
0f72176ddd Refuse writing the config in append-only mode 2018-04-02 13:09:37 +02:00
Alexander Neumann
8dad5a5f41 Add test for append-only mode 2018-04-02 13:09:37 +02:00
Alexander Neumann
899ef655ef Merge pull request #62 from restic/add-changelog 
Add changelog generated by calens
 2018-04-02 12:45:17 +02:00
Alexander Neumann
7126dfec79
Merge pull request #63 from jcgruenhage/patch-1 
remove sudo from makefile
 2018-03-30 11:46:27 +02:00
Jan Christian Grünhage
9107b94367
remove sudo from makefile 
the makefile should not depend on sudo
 2018-03-29 11:27:03 +02:00
Alexander Neumann
9d6316bd6e Add pull request URL 2018-03-24 17:41:54 +01:00
Alexander Neumann
897d5a026c Add changelog generated by calens 
Closes #44
 2018-03-24 17:40:49 +01:00
Konrad Wojas
4d2493388a Require auth by default, add --no-auth flag 
In order to prevent users from accidentally exposing rest-server without
authentication, rest-server now defaults to requiring a .htpasswd. If
you want to disable authentication, you need to explicitly pass the new
--no-auth flag.
 2018-03-24 13:30:54 +01:00
Leo R. Lundgren
02196a18d8 Clarify that the server does NOT authenticate users without a .htpasswd file. 2018-03-21 23:34:41 +01:00
Leo R. Lundgren
cbafb98113 Add --version flag to print version and exit. 2018-03-21 22:50:14 +01:00
Alexander Neumann
a6961e877b Travis: Fix tests (again) 
The problem is that in Go < 1.9 "..." also matches the vendor directory,
and we don't want to run those tests :)
 2018-03-20 22:19:42 +01:00
Leo R. Lundgren
ec7289235c Rename --cpuprofile flag to --cpu-profile (#53) 2018-03-20 21:46:30 +01:00
Alexander Neumann
698b6331b9 Travis: Test all the versions that we support 
At the moment, `build.go` is configured to check that Go >= 1.7 is used,
so let's test that on Travis.
 2018-03-20 21:16:58 +01:00