Git Mailing List Archive on lore.kernel.org
 help / color / Atom feed
* Can Git repos be hacked or otherwise manipulated?
@ 2020-01-14 14:48 1234dev
  2020-01-14 22:08 ` Jeff King
  0 siblings, 1 reply; 6+ messages in thread
From: 1234dev @ 2020-01-14 14:48 UTC (permalink / raw)
  To: git

Hi,

Let's say you're working with a team of elite hackers, passing a tarball of a Git repo back and forth as you complete your mission. Now let's say one of them has malicious intent. What are the possibilities that he or she can, for instance, hide changes made to a script or binary that does something malicious if executed? Or perhaps maybe there are other such scenarios one should be made aware of?

Thanks and have a nice day!

--Jonathan

Sent with ProtonMail Secure Email.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Can Git repos be hacked or otherwise manipulated?
  2020-01-14 14:48 Can Git repos be hacked or otherwise manipulated? 1234dev
@ 2020-01-14 22:08 ` Jeff King
  2020-01-15  3:18   ` 1234dev
  0 siblings, 1 reply; 6+ messages in thread
From: Jeff King @ 2020-01-14 22:08 UTC (permalink / raw)
  To: 1234dev; +Cc: git

On Tue, Jan 14, 2020 at 02:48:05PM +0000, 1234dev wrote:

> Let's say you're working with a team of elite hackers, passing a
> tarball of a Git repo back and forth as you complete your mission. Now
> let's say one of them has malicious intent. What are the possibilities
> that he or she can, for instance, hide changes made to a script or
> binary that does something malicious if executed? Or perhaps maybe
> there are other such scenarios one should be made aware of?

It is absolutely not safe to run Git commands from a tarball of an
untrusted repo. There are many ways to execute arbitrary code specified
by a config option, and you'd be getting recipients .git/config.
Likewise for hooks.

And while we would consider it a bug if you can trigger a memory error
by reading a corrupted or malicious on-disk file, that's gotten _way_
less auditing than the code paths which take in objects from a remote.
So e.g., I would not be surprised if there are vulnerabilities that
could cause out-of-bounds reads of a corrupted .git/index.

-Peff

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Can Git repos be hacked or otherwise manipulated?
  2020-01-14 22:08 ` Jeff King
@ 2020-01-15  3:18   ` 1234dev
  2020-01-15  3:43     ` Jonathan Nieder
  2020-01-15 18:01     ` Jeff King
  0 siblings, 2 replies; 6+ messages in thread
From: 1234dev @ 2020-01-15  3:18 UTC (permalink / raw)
  To: Jeff King, git

Hello Jeff and thank you for your response!

To work around this problem, should we instead host this repo on a public service? If so which one would you recommend?

--Jonathan

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 14, 2020 10:08 PM, Jeff King <peff@peff.net> wrote:

> On Tue, Jan 14, 2020 at 02:48:05PM +0000, 1234dev wrote:
>
> > Let's say you're working with a team of elite hackers, passing a
> > tarball of a Git repo back and forth as you complete your mission. Now
> > let's say one of them has malicious intent. What are the possibilities
> > that he or she can, for instance, hide changes made to a script or
> > binary that does something malicious if executed? Or perhaps maybe
> > there are other such scenarios one should be made aware of?
>
> It is absolutely not safe to run Git commands from a tarball of an
> untrusted repo. There are many ways to execute arbitrary code specified
> by a config option, and you'd be getting recipients .git/config.
> Likewise for hooks.
>
> And while we would consider it a bug if you can trigger a memory error
> by reading a corrupted or malicious on-disk file, that's gotten way
> less auditing than the code paths which take in objects from a remote.
> So e.g., I would not be surprised if there are vulnerabilities that
> could cause out-of-bounds reads of a corrupted .git/index.
>
> -Peff



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Can Git repos be hacked or otherwise manipulated?
  2020-01-15  3:18   ` 1234dev
@ 2020-01-15  3:43     ` Jonathan Nieder
  2020-01-15 18:01     ` Jeff King
  1 sibling, 0 replies; 6+ messages in thread
From: Jonathan Nieder @ 2020-01-15  3:43 UTC (permalink / raw)
  To: 1234dev; +Cc: Jeff King, git, Josh Steadmon

Hi,

1234dev wrote:
> Jeff King wrote:

>> It is absolutely not safe to run Git commands from a tarball of an
>> untrusted repo. There are many ways to execute arbitrary code specified
>> by a config option, and you'd be getting recipients .git/config.
>> Likewise for hooks.

(By the way, this is an area of active work.  If you'd like to help,
that's welcome. :) See also
https://lore.kernel.org/git/20171002234517.GV19555@aiede.mtv.corp.google.com/
and https://lore.kernel.org/git/20191116011125.GG22855@google.com/.)

>> And while we would consider it a bug if you can trigger a memory error
>> by reading a corrupted or malicious on-disk file, that's gotten way
>> less auditing than the code paths which take in objects from a remote.
>> So e.g., I would not be surprised if there are vulnerabilities that
>> could cause out-of-bounds reads of a corrupted .git/index.

Cc-ing Josh Steadmon in case he has pointers for how to add some fuzz
tests to harden this kind of thing.  We definitely want to find any
vulnerabilities in this area.  (In addition to the case of "ask a
friendly sysadmin or member of GitHub tech support to debug my broken
repo", this also would affect any users collaborating on a repository
on a shared filesystem.)

[...]
> To work around this problem, should we instead host this repo on a
> public service? If so which one would you recommend?

If you want to use ordinary file transfer mechanisms to share a
repository, you can use "git bundle" to create a copy of your Git repo
in a form that is meant to be safe and straightforward to pass around.
See "git help bundle" for more details.

Thanks and hope that helps,
Jonathan

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Can Git repos be hacked or otherwise manipulated?
  2020-01-15  3:18   ` 1234dev
  2020-01-15  3:43     ` Jonathan Nieder
@ 2020-01-15 18:01     ` Jeff King
  2020-01-16 20:15       ` Junio C Hamano
  1 sibling, 1 reply; 6+ messages in thread
From: Jeff King @ 2020-01-15 18:01 UTC (permalink / raw)
  To: 1234dev; +Cc: git

On Wed, Jan 15, 2020 at 03:18:34AM +0000, 1234dev wrote:

> To work around this problem, should we instead host this repo on a
> public service? If so which one would you recommend?

Oops, I forgot to mention the actual solution. :)

Generally it is safe to clone _from_ an untrusted repo, even if it's on
a local filesystem. So untarring the repo and running:

  git clone evil.git safe
  cd safe
  git log

should make it OK to run Git commands inside the "safe" directory.

Jonathan Nieder also mentioned using a bundle file, which may be even
simpler, as it skips the part where you have to deal with tar. :)

Run:

  git bundle create foo.bundle --all

on the sending side, and then you can just:

  git clone foo.bundle safe

on the receiving side.

-Peff

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Can Git repos be hacked or otherwise manipulated?
  2020-01-15 18:01     ` Jeff King
@ 2020-01-16 20:15       ` Junio C Hamano
  0 siblings, 0 replies; 6+ messages in thread
From: Junio C Hamano @ 2020-01-16 20:15 UTC (permalink / raw)
  To: Jeff King; +Cc: 1234dev, git\

Jeff King <peff@peff.net> writes:

> On Wed, Jan 15, 2020 at 03:18:34AM +0000, 1234dev wrote:
>
>> To work around this problem, should we instead host this repo on a
>> public service? If so which one would you recommend?
>
> Oops, I forgot to mention the actual solution. :)
>
> Generally it is safe to clone _from_ an untrusted repo, even if it's on
> a local filesystem. So untarring the repo and running:
>
>   git clone evil.git safe
>   cd safe
>   git log
>
> should make it OK to run Git commands inside the "safe" directory.

Then there are those who are even more paranoid to consider that
foreign bits hitting their disk platter ^W^W working tree poses
risks (e.g. by background thumbnailers crawling there, getting
exploited by checked out payload that are not trustworthy).

;-)

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-14 14:48 Can Git repos be hacked or otherwise manipulated? 1234dev
2020-01-14 22:08 ` Jeff King
2020-01-15  3:18   ` 1234dev
2020-01-15  3:43     ` Jonathan Nieder
2020-01-15 18:01     ` Jeff King
2020-01-16 20:15       ` Junio C Hamano

Git Mailing List Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/git/0 git/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 git git/ https://lore.kernel.org/git \
		git@vger.kernel.org
	public-inbox-index git

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.git


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git