Skip to content

fix(providers): allow git clone/fetch via default GitHub provider#2317

Open
russellb wants to merge 1 commit into
NVIDIA:mainfrom
russellb:fix/issue-1769
Open

fix(providers): allow git clone/fetch via default GitHub provider#2317
russellb wants to merge 1 commit into
NVIDIA:mainfrom
russellb:fix/issue-1769

Conversation

@russellb

@russellb russellb commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

The default GitHub provider blocked gh repo clone / git clone https://… inside sandboxes. This makes clone/fetch work while keeping push blocked by default.

Related Issue

Closes #1769

Changes

  • providers/github.yaml: replace the access: read-only preset on the github.com:443 git-transport endpoint with explicit rules — GET/HEAD/OPTIONS ** plus POST /**/git-upload-pack. The read-only preset only expands to GET/HEAD/OPTIONS, but git smart HTTP needs POST to */git-upload-pack for clone/fetch.
  • Push (git-receive-pack) stays denied; enabling it still requires an explicit policy proposal. The two api.github.com REST/GraphQL endpoints remain read-only.
  • Tests: add a provider-profile regression test (openshell-providers) and a rego enforcement test (openshell-supervisor-network) covering ref discovery, git-upload-pack (allowed), and git-receive-pack (denied); update the two existing tests that asserted "all github endpoints read-only".

Why allowing this POST is still read-only

In git's smart HTTP protocol, POST is an RPC transport, not a write. A clone/fetch is GET */info/refs (ref discovery) followed by POST */git-upload-pack, whose body is only the client's want/have negotiation; the server replies with a packfile and nothing on the server is modified (data flows server → client). The service names are from the server's perspective: git-upload-pack = the server uploads a pack to the client (a read/download), while git-receive-pack = the server receives a pack from the client (the actual write/push). The new rule is scoped to */git-upload-pack only, so push and arbitrary POSTs to github.com remain denied.

Testing

  • openshell-providers, openshell-supervisor-network, and openshell-server targeted tests pass (new + updated regression tests green)
  • Unit tests added/updated
  • E2E tests added/updated (verified at the L7 policy-enforcement layer via a rego test rather than full sandbox e2e)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

The github.com:443 git-transport endpoint used the read-only access
preset, which expands to GET/HEAD/OPTIONS only. Git smart HTTP requires
a POST to */git-upload-pack for clone and fetch, so the L7 proxy denied
those operations and `gh repo clone` / `git clone https://...` failed.

Replace the preset with explicit rules that permit the read-only methods
plus POST */git-upload-pack, so clone/fetch work while push
(git-receive-pack) stays blocked. Enabling push still requires an
explicit policy proposal.

Why allowing this POST is still read-only: in git's smart HTTP protocol
POST is an RPC transport, not a write. A clone/fetch does GET
*/info/refs (ref discovery) followed by POST */git-upload-pack, whose
body is only the client's want/have negotiation; the server responds
with a packfile and nothing on the server is modified (data flows
server -> client). The service names are from the server's perspective:
git-upload-pack = the server uploads a pack to the client (a read/
download), while git-receive-pack = the server receives a pack from the
client (the actual write/push). The new rule is scoped to
*/git-upload-pack only, so push (git-receive-pack) and arbitrary POSTs
to github.com remain denied.

Add a provider-profile regression test and a rego enforcement test
covering ref discovery, upload-pack (allowed), and receive-pack (denied).

Closes NVIDIA#1769

Signed-off-by: Russell Bryant <rbryant@redhat.com>
@copy-pr-bot

copy-pr-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@johntmyers

Copy link
Copy Markdown
Collaborator

Thanks @russellb lgtm at first glance. Having Gator do its thing anyway.

@johntmyers johntmyers added the gator:in-review Gator is reviewing or awaiting PR review feedback label Jul 17, 2026
@johntmyers

Copy link
Copy Markdown
Collaborator

gator-agent

PR Review Status

Validation: This PR directly implements confirmed bug #1769 with a concentrated Provider V2/L7 policy change. The proposed git-upload-pack exception preserves the intended read-only Git boundary; I found no current authorization bypass or privilege escalation.

Head SHA: 756183525eeab149594af0919db0eab2a4a5e1cf

Thanks @johntmyers. I checked the implementation beyond your first-glance LGTM, including canonical path handling, OPA matching, provider-policy composition, and the existing Fern guidance. Three author changes remain:

  • Strengthen the built-in-profile regression in crates/openshell-providers/src/profiles.rs so it asserts the exact allowed rule set (GET/HEAD/OPTIONS ** and POST /**/git-upload-pack) and fails if a broad or additional POST rule could enable push. The current substring checks would still pass alongside POST **. Ideally, evaluate the actual composed built-in endpoint through OPA instead of relying only on the hand-copied fixture in crates/openshell-supervisor-network/src/opa.rs.
  • Add the real clone/fetch E2E requested in the trusted triage on bug: gh repo clone fails with default github provider — POST git-upload-pack denied #1769. The current unit test does not exercise provider attachment, effective-policy composition, TLS interception, redirects, or real Git behavior.
  • Update the existing Fern provider documentation (for example, docs/sandboxes/providers-v2.mdx) to say that the built-in GitHub profile permits HTTPS clone/fetch through git-upload-pack while API mutations and git-receive-pack remain denied. No navigation change appears necessary.

Docs: Missing for this direct user-visible default-provider behavior change.

Next state: gator:in-review. Please push an updated commit addressing these items. On the new head, gator will re-review and make the required test:e2e/copy-PR authorization decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gator:in-review Gator is reviewing or awaiting PR review feedback

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: gh repo clone fails with default github provider — POST git-upload-pack denied

2 participants