From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Glen Choo <chooglen@google.com>
Cc: git@vger.kernel.org, Emily Shaffer <emilyshaffer@google.com>,
justin@justinsteven.com, Taylor Blau <me@ttaylorr.com>
Subject: Re: Bare repositories in the working tree are a security risk
Date: Thu, 7 Apr 2022 21:24:02 +0000 [thread overview]
Message-ID: <Yk9Wcr74gvhtyOi7@camp.crustytoothpaste.net> (raw)
In-Reply-To: <kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com>
[-- Attachment #1: Type: text/plain, Size: 2415 bytes --]
On 2022-04-06 at 22:43:08, Glen Choo wrote:
> An attack might look like this:
>
> * Attacker creates a repository where subdirectory "Documentation/" is a bare
> repository i.e. it contains "HEAD", "refs/" and "objects/" [4]. Attacker
> also adds "config" with a malicious setting for core.fsmonitor.
> * Attacker convinces User to read their project's documentation by `git
> clone`-ing their repository and inspecting the "Documentation/" directory.
> * User cd-s into "Documentation/" and their shell prompt runs `git status`,
> executing the core.fsmonitor command defined by Attacker.
As mentioned elsewhere, git status doesn't work without a working tree.
> = Next steps
>
> I propose that we prevent repositories from containing bare repositories by
> doing the following (in order):
>
> * Implement (2) by adding a new fsck message "embeddedBareRepo".
> * When this is done, hosting sites can hopefully use this capability to
> prevent transmission, and help us understand the prevalence of such attacks.
> * Implement (1b) by teaching unpack_trees.c to check whether the tree contains
> an entire bare repo, and die() if so. This will be guarded by a
> defaults-to-true config value.
> * This would only block a bare repo from being written in a single operation.
> It wouldn’t stop a user from writing a bare repo entry-by-entry using "git
> checkout <path>", but the amount of social engineering required probably
> renders this attack infeasible.
> * As I noted earlier, I foresee some difficulty actually implementing this
> because I don’t think we have facilities for checking multiple tree entries
> at once.
I'm aware of repositories that happen to break in this case. It's not
uncommon to embed bare repositories when working with tools that involve
Git, and this will definitely break them. git fast-import isn't always
a valid option because the test data may involve specific structures or
tooling that can't be replicated that way, or it involves things like
commit signatures which aren't round-tripped.
Instead, I'd rather see us avoid executing any program from the config
or any hooks in a bare repository without a working tree (except for
pushes). I think that would avoid breaking things while still improving
security.
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next prev parent reply other threads:[~2022-04-07 21:24 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-06 22:43 Bare repositories in the working tree are a security risk Glen Choo
2022-04-06 23:22 ` [PATCH] fsck: detect bare repos in trees and warn Glen Choo
2022-04-07 12:42 ` Johannes Schindelin
2022-04-07 13:21 ` Derrick Stolee
2022-04-07 14:14 ` Ævar Arnfjörð Bjarmason
2022-04-14 20:02 ` Glen Choo
2022-04-15 12:46 ` Ævar Arnfjörð Bjarmason
2022-04-07 15:11 ` Junio C Hamano
2022-04-13 22:24 ` Glen Choo
2022-04-07 13:12 ` Ævar Arnfjörð Bjarmason
2022-04-07 15:20 ` Junio C Hamano
2022-04-07 18:38 ` Bare repositories in the working tree are a security risk John Cai
2022-04-07 21:24 ` brian m. carlson [this message]
2022-04-07 21:53 ` Justin Steven
2022-04-07 22:10 ` brian m. carlson
2022-04-07 22:40 ` rsbecker
2022-04-08 5:54 ` Junio C Hamano
2022-04-14 0:03 ` Junio C Hamano
2022-04-14 0:04 ` Glen Choo
2022-04-13 23:44 ` Glen Choo
2022-04-13 20:37 ` Glen Choo
2022-04-13 23:36 ` Junio C Hamano
2022-04-14 16:41 ` Glen Choo
2022-04-14 17:35 ` Junio C Hamano
2022-04-14 18:19 ` Junio C Hamano
2022-04-15 21:33 ` Glen Choo
2022-04-15 22:17 ` Junio C Hamano
2022-04-16 0:52 ` Taylor Blau
2022-04-15 22:43 ` Glen Choo
2022-04-15 20:13 ` Junio C Hamano
2022-04-15 23:45 ` Glen Choo
2022-04-15 23:59 ` Glen Choo
2022-04-16 1:00 ` Taylor Blau
2022-04-16 1:18 ` Junio C Hamano
2022-04-16 1:30 ` Taylor Blau
2022-04-16 0:34 ` Glen Choo
2022-04-16 0:41 ` Glen Choo
2022-04-16 1:28 ` Taylor Blau
2022-04-21 18:25 ` Emily Shaffer
2022-04-21 18:29 ` Emily Shaffer
2022-04-21 18:47 ` Junio C Hamano
2022-04-21 18:54 ` Taylor Blau
2022-04-21 19:09 ` Taylor Blau
2022-04-21 21:01 ` Emily Shaffer
2022-04-21 21:22 ` Taylor Blau
2022-04-29 23:57 ` Glen Choo
2022-04-30 1:14 ` Taylor Blau
2022-05-02 19:39 ` Glen Choo
2022-05-02 14:05 ` Philip Oakley
2022-05-02 18:50 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yk9Wcr74gvhtyOi7@camp.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=chooglen@google.com \
--cc=emilyshaffer@google.com \
--cc=git@vger.kernel.org \
--cc=justin@justinsteven.com \
--cc=me@ttaylorr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).