From: Jonathan Nieder <jrnieder@gmail.com>
To: 1234dev <1234dev@protonmail.com>
Cc: Jeff King <peff@peff.net>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Josh Steadmon <steadmon@google.com>
Subject: Re: Can Git repos be hacked or otherwise manipulated?
Date: Wed, 15 Jan 2020 03:43:41 +0000 [thread overview]
Message-ID: <20200115034341.GA218782@google.com> (raw)
In-Reply-To: <bvMqhQOr4uENl8j2zcFOY0ogJmUqTRofCGyPlPc_xaXQXSP5ds9lgdglXkjTZng9U5WSpo-Uc2_SzCTdpAvLTeruT-tW3GTDkWj9dfLznuM=@protonmail.com>
Hi,
1234dev wrote:
> Jeff King wrote:
>> It is absolutely not safe to run Git commands from a tarball of an
>> untrusted repo. There are many ways to execute arbitrary code specified
>> by a config option, and you'd be getting recipients .git/config.
>> Likewise for hooks.
(By the way, this is an area of active work. If you'd like to help,
that's welcome. :) See also
https://lore.kernel.org/git/20171002234517.GV19555@aiede.mtv.corp.google.com/
and https://lore.kernel.org/git/20191116011125.GG22855@google.com/.)
>> And while we would consider it a bug if you can trigger a memory error
>> by reading a corrupted or malicious on-disk file, that's gotten way
>> less auditing than the code paths which take in objects from a remote.
>> So e.g., I would not be surprised if there are vulnerabilities that
>> could cause out-of-bounds reads of a corrupted .git/index.
Cc-ing Josh Steadmon in case he has pointers for how to add some fuzz
tests to harden this kind of thing. We definitely want to find any
vulnerabilities in this area. (In addition to the case of "ask a
friendly sysadmin or member of GitHub tech support to debug my broken
repo", this also would affect any users collaborating on a repository
on a shared filesystem.)
[...]
> To work around this problem, should we instead host this repo on a
> public service? If so which one would you recommend?
If you want to use ordinary file transfer mechanisms to share a
repository, you can use "git bundle" to create a copy of your Git repo
in a form that is meant to be safe and straightforward to pass around.
See "git help bundle" for more details.
Thanks and hope that helps,
Jonathan
next prev parent reply other threads:[~2020-01-15 3:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 14:48 Can Git repos be hacked or otherwise manipulated? 1234dev
2020-01-14 22:08 ` Jeff King
2020-01-15 3:18 ` 1234dev
2020-01-15 3:43 ` Jonathan Nieder [this message]
2020-01-15 18:01 ` Jeff King
2020-01-16 20:15 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200115034341.GA218782@google.com \
--to=jrnieder@gmail.com \
--cc=1234dev@protonmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=steadmon@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).