From 0d05e5d26ce362b4b8c06e6b847fa93730065b48 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Sa=C5=A1a=20=C5=BDivkov?= Date: Thu, 30 Jan 2014 15:04:43 +0100 Subject: [PATCH] Possibility to limit the max pack size on receive-pack The maxPackSizeLimit, when set, will reject a pack if it exceeds that limit. This feature is intended to provide a mechanism to control disk space quota on Git repositories. Change-Id: I83d8db670875c395f8171461b402083323e623a5 CQ: 7896 --- .../eclipse/jgit/internal/JGitText.properties | 2 + .../jgit/errors/TooLargePackException.java | 69 ++++++++ .../org/eclipse/jgit/internal/JGitText.java | 2 + .../jgit/transport/BaseReceivePack.java | 32 ++++ .../jgit/util/io/LimitedInputStream.java | 154 ++++++++++++++++++ 5 files changed, 259 insertions(+) create mode 100644 org.eclipse.jgit/src/org/eclipse/jgit/errors/TooLargePackException.java create mode 100644 org.eclipse.jgit/src/org/eclipse/jgit/util/io/LimitedInputStream.java diff --git a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties index bb67c127a7..a5a5cf6c99 100644 --- a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties +++ b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties @@ -403,6 +403,8 @@ readingObjectsFromLocalRepositoryFailed=reading objects from local repository fa readTimedOut=Read timed out after {0} ms receivePackObjectTooLarge1=Object too large, rejecting the pack. Max object size limit is {0} bytes. receivePackObjectTooLarge2=Object too large ({0} bytes), rejecting the pack. Max object size limit is {1} bytes. +receivePackInvalidLimit=Illegal limit parameter value {0} +receivePackTooLarge=Pack exceeds the limit of {0} bytes, rejecting the pack receivingObjects=Receiving objects refAlreadyExists=already exists refAlreadyExists1=Ref {0} already exists diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/errors/TooLargePackException.java b/org.eclipse.jgit/src/org/eclipse/jgit/errors/TooLargePackException.java new file mode 100644 index 0000000000..5cf0f802c1 --- /dev/null +++ b/org.eclipse.jgit/src/org/eclipse/jgit/errors/TooLargePackException.java @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2014, Sasa Zivkov , SAP AG + * and other copyright owners as documented in the project's IP log. + * + * This program and the accompanying materials are made available + * under the terms of the Eclipse Distribution License v1.0 which + * accompanies this distribution, is reproduced below, and is + * available at http://www.eclipse.org/org/documents/edl-v10.php + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or + * without modification, are permitted provided that the following + * conditions are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * - Neither the name of the Eclipse Foundation, Inc. nor the + * names of its contributors may be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +package org.eclipse.jgit.errors; + +import java.io.IOException; +import java.text.MessageFormat; + +import org.eclipse.jgit.internal.JGitText; + +/** + * Thrown when a pack exceeds a given size limit + * + * @since 3.3 + */ +public class TooLargePackException extends IOException { + private static final long serialVersionUID = 1L; + + /** + * Construct a too large pack exception. + * + * @param packSizeLimit + * the pack size limit (in bytes) that was exceeded + */ + public TooLargePackException(long packSizeLimit) { + super(MessageFormat.format(JGitText.get().receivePackTooLarge, + Long.valueOf(packSizeLimit))); + } +} diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java index f9700a1ff4..8ca425a15b 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java @@ -465,6 +465,8 @@ public class JGitText extends TranslationBundle { /***/ public String readTimedOut; /***/ public String receivePackObjectTooLarge1; /***/ public String receivePackObjectTooLarge2; + /***/ public String receivePackInvalidLimit; + /***/ public String receivePackTooLarge; /***/ public String receivingObjects; /***/ public String refAlreadyExists; /***/ public String refAlreadyExists1; diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/BaseReceivePack.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/BaseReceivePack.java index 39e4aadc9d..67ab9ef3a6 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/BaseReceivePack.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/BaseReceivePack.java @@ -55,6 +55,7 @@ import java.io.EOFException; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.text.MessageFormat; import java.util.ArrayList; import java.util.Collections; import java.util.HashSet; @@ -65,6 +66,7 @@ import java.util.concurrent.TimeUnit; import org.eclipse.jgit.errors.MissingObjectException; import org.eclipse.jgit.errors.PackProtocolException; +import org.eclipse.jgit.errors.TooLargePackException; import org.eclipse.jgit.internal.JGitText; import org.eclipse.jgit.internal.storage.file.PackLock; import org.eclipse.jgit.lib.BatchRefUpdate; @@ -89,6 +91,7 @@ import org.eclipse.jgit.revwalk.RevTree; import org.eclipse.jgit.revwalk.RevWalk; import org.eclipse.jgit.transport.ReceiveCommand.Result; import org.eclipse.jgit.util.io.InterruptTimer; +import org.eclipse.jgit.util.io.LimitedInputStream; import org.eclipse.jgit.util.io.TimeoutInputStream; import org.eclipse.jgit.util.io.TimeoutOutputStream; @@ -234,6 +237,9 @@ public abstract class BaseReceivePack { /** Git object size limit */ private long maxObjectSizeLimit; + /** Total pack size limit */ + private long maxPackSizeLimit = -1; + /** * Create a new pack receive for an open repository. * @@ -622,6 +628,24 @@ public abstract class BaseReceivePack { maxObjectSizeLimit = limit; } + + /** + * Set the maximum allowed pack size. + *

+ * A pack exceeding this size will be rejected. + * + * @param limit + * the pack size limit, in bytes + * + * @since 3.3 + */ + public void setMaxPackSizeLimit(final long limit) { + if (limit < 0) + throw new IllegalArgumentException(MessageFormat.format( + JGitText.get().receivePackInvalidLimit, Long.valueOf(limit))); + maxPackSizeLimit = limit; + } + /** * Check whether the client expects a side-band stream. * @@ -741,6 +765,14 @@ public abstract class BaseReceivePack { rawOut = o; } + if (maxPackSizeLimit >= 0) + rawIn = new LimitedInputStream(rawIn, maxPackSizeLimit) { + @Override + protected void limitExceeded() throws TooLargePackException { + throw new TooLargePackException(limit); + } + }; + pckIn = new PacketLineIn(rawIn); pckOut = new PacketLineOut(rawOut); pckOut.setFlushOnEnd(false); diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/util/io/LimitedInputStream.java b/org.eclipse.jgit/src/org/eclipse/jgit/util/io/LimitedInputStream.java new file mode 100644 index 0000000000..85c8172042 --- /dev/null +++ b/org.eclipse.jgit/src/org/eclipse/jgit/util/io/LimitedInputStream.java @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2007 The Guava Authors + * Copyright (C) 2014, Sasa Zivkov , SAP AG + * and other copyright owners as documented in the project's IP log. + * + * This program and the accompanying materials are made available + * under the terms of the Eclipse Distribution License v1.0 which + * accompanies this distribution, is reproduced below, and is + * available at http://www.eclipse.org/org/documents/edl-v10.php + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or + * without modification, are permitted provided that the following + * conditions are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * - Neither the name of the Eclipse Foundation, Inc. nor the + * names of its contributors may be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +package org.eclipse.jgit.util.io; + +import java.io.FilterInputStream; +import java.io.IOException; +import java.io.InputStream; + +/** + * Wraps a {@link InputStream}, limiting the number of bytes which can be + * read. + * + * This class was copied and modifed from the Google Guava 16.0. Differently from + * the original Guava code, when a caller tries to read from this stream past + * the given limit and the wrapped stream hasn't yet reached its EOF this class + * will call the limitExceeded method instead of returning EOF. + * + * @since 3.3 + */ +public abstract class LimitedInputStream extends FilterInputStream { + + private long left; + /** Max number of bytes to be read from the wrapped stream */ + protected final long limit; + private long mark = -1; + + /** + * Create a new LimitedInputStream + * + * @param in an InputStream + * @param limit max number of bytes to read from the InputStream + */ + protected LimitedInputStream(InputStream in, long limit) { + super(in); + left = limit; + this.limit = limit; + } + + @Override + public int available() throws IOException { + return (int) Math.min(in.available(), left); + } + + // it's okay to mark even if mark isn't supported, as reset won't work + @Override + public synchronized void mark(int readLimit) { + in.mark(readLimit); + mark = left; + } + + @Override + public int read() throws IOException { + if (left == 0) { + if (in.available() == 0) + return -1; + else + limitExceeded(); + } + + int result = in.read(); + if (result != -1) + --left; + return result; + } + + @Override + public int read(byte[] b, int off, int len) throws IOException { + if (left == 0) { + if (in.available() == 0) + return -1; + else + limitExceeded(); + } + + len = (int) Math.min(len, left); + int result = in.read(b, off, len); + if (result != -1) + left -= result; + return result; + } + + @Override + public synchronized void reset() throws IOException { + if (!in.markSupported()) + throw new IOException("Mark not supported"); + + if (mark == -1) + throw new IOException("Mark not set"); + + in.reset(); + left = mark; + } + + @Override + public long skip(long n) throws IOException { + n = Math.min(n, left); + long skipped = in.skip(n); + left -= skipped; + return skipped; + } + + /** + * Called when trying to read past the given {@link #limit} and the wrapped + * InputStream {@link #in} hasn't yet reached its EOF + * + * @throws IOException + * subclasses can throw an IOException when the limit is exceeded. + * The throws IOException will be forwarded back to the caller of + * the read method which read the stream past the limit. + */ + protected abstract void limitExceeded() throws IOException; +} -- 2.39.5