Re: Bare repositories in the working tree are a security risk

From: Junio C Hamano <gitster@pobox.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: Justin Steven <justin@justinsteven.com>,
	Glen Choo <chooglen@google.com>,
	git@vger.kernel.org, Emily Shaffer <emilyshaffer@google.com>,
	Taylor Blau <me@ttaylorr.com>
Subject: Re: Bare repositories in the working tree are a security risk
Date: Wed, 13 Apr 2022 17:03:57 -0700	[thread overview]
Message-ID: <xmqqfsmg4jki.fsf@gitster.g> (raw)
In-Reply-To: <xmqqmtgwp1aq.fsf@gitster.g> (Junio C. Hamano's message of "Thu, 07 Apr 2022 22:54:53 -0700")

Junio C Hamano <gitster@pobox.com> writes:

> I am not sure if "walking the hierarchy up" is an effective enough
> defence offhand.  Do we consider it too much social engineering to
> make the user follow cloning instruction of the malicious project to
> prepare a repository, with core.worktree set to elsewhere, and pull
> into it?  Since walking up from any subdirectory of the directory
> the core.worktree points at will never see a directory, with ".git/"
> subdirectory that is the malicious project, "git status" run in the
> "embedded" place in such a scenario will not notice that it is a
> repository lookalike that came from outside.  But we can write it
> off as an approach needing too much  social engineering, that's OK.

In other words, an attacker could lead the victim to clone their
malicious repository at path $R with core.worktree in its
configuration file $R/config pointing at some directory $D that is
entirely unrelated to $R.  In a subdirectory of $D (i.e. the working
tree of that malicious repository) there may be a directory $G with
HEAD, refs and config in it.

When the victim visits such a directory $G, going up from there to
the root of the filesystem would not find any directory with ".git/"
subdirectory in it, so your protection may not even notice that $G
came from a checkout of $R.