Affects Version/s: 5.4.46
Fix Version/s: 5.6.7
Sprint:DevTools 62, DevTools 63, DevTools 64
- Set up a Bitbucket repo and clone it to your local machine.
- Install Git LFS and set it up in your local repository. Also, ensure that LFS is enabled for the remote repository in BB.
- Add a 'Restrict file size' hook to the BB repository and choose a moderately large max size (1000 bytes ought to be enough). Do not configure the hook to exclude LFS files.
- Get hold of a binary file that's larger than the limit you set, note its extension, and configure LFS to track files with that extension. (You can also just configure it to track only that specific file by name, I believe, if you prefer.)
- Add, commit and push the .gitattributes file that LFS creates.
- Add, commit and attempt to push the large binary file.
Expected: The push is rejected because the file is too large.
Actual: The push is accepted.
This happens because we use git cat-file in batch mode to determine the file sizes, and the size that it reports for LFS files is in fact the size of the pointers: the small text files that describe where the larger files themselves can be found. These pointers tend to be only about 100-200 bytes long and thus fall below the configured limit, hence the oversized LFS files are allowed through.
The solution to this is to inspect the content of the pointer file, which includes information on the true size of the LFS file. We already parse this content in order to verify the identity of pointer files, so it should be doable to extract the size data as well.