Git's HTTP server side design does not scale

3 min read Original article ↗

Published on , 379 words, 2 minutes to read

A small rant about CGI.

UPDATE(2025-12-29T13:04Z-5): If you run a git forge: disable unauthenticated clones for repos larger than 512Mi until further notice.

Recently Sourceware had to disable git clone over HTTP due to an attack where lots of random Git clients are cloning repositories. This was surprising to me, I thought the Git client didn't need any smarts on the server and most of the "magic" was just serving flat files based on the client needs. It turns out that the git HTTP backend is way more complicated than I thought it was and the actual problem boils down to something that's as old as I am: the Common Gateway Interface (CGI).

A CGI handler is a program that gets request metadata from environment variables and standard input, then returns the result over standard output. This means that the web server has to fork/exec a new process for every request. If your service ends up getting very popular very quickly, this can incur forkbomb attacks.

The default and recommended configuration for serving git repositories over HTTP is to use the git-http-backend CGI handler to serve traffic. This means that every time a git client is cloning a repo, the server side needs to spawn a new copy of the process to handle the request. In most cases, this is fine. In extreme cases where lots of residential proxies are cloning every repo they can and making the server calculate absurd diffs between random commit hashes, this results in the opposite of rejoicing.

I am not entirely sure what to suggest to users of Anubis that serve git repositories with git-http-backend. My SRE instinct is that the entire model of using fork/exec with CGI is fundamentally broken and the git-http-backend service needs to be its own HTTP server that can run persistently and concurrently handle requests, but that is not something that can be slapped together instantly.

Am I missing something really simple that I don't know about? Google has failed me.

Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Tags:

Copyright 2012-2026 Xe Iaso. Any and all opinions listed here are my own and not representative of any of my employers, past, future, and/or present.

Served by xesite v4 (/app/bin/xesite) with site version 8b01e01d , source code available here.