On 2020-06-11 at 21:25:45, Shreya Malviya wrote:
> Hi!
> 
> 
> I was playing around with git when I realized that it's possible for
> me to commit something to a repository as another user (explained a
> scenario below for a better understanding of what I mean) and it is
> not considered a security vulnerability, understandably so
> (https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address).

This is GitHub's bug bounty policy, not Git's, but it is definitely an
intended feature in Git and not a bug.  I should point out that they are
separate and independent.

> For example, let's assume I have push access to some repository called
> AAA, and my email address is abc@xyz.com. I can simply edit
> ~/.gitconfig on my system and set the email address as some other
> person's email address: def@pqr.com. Then, I make some changes in my
> local repository and commit them (reminder: it's with the email
> address def@pqr.com since git tracks commits by email address). Now,
> if I try to push to the remote repository, it asks for the username
> and password. I put mine and since I have push access to AAA, it goes
> through. I've successfully pushed commits on behalf of the owner of
> the email address: def@pqr.com.
> 
> So basically, in this way, I can impersonate people and add commits on
> their behalf. BUT AGAIN, this is not considered a vulnerability (link
> for reason attached before).

In the Git project, users send patches to a mailing list and those
patches are applied by a maintainer.  When the maintainer applies them,
they contain the user's identification and therefore are attributed to
that user as the author.  This is a common workflow in patch-based
projects.

Disallowing people from pushing commits that contain another email
address would prevent the maintainer from pushing commits authored by
others, so Git doesn't do that, although it can be configured with push
certificates and a hook if you like.

If you are asking why GitHub attributes commits based on email, you'd
have to ask them.  However, be aware that there are projects that are
concerned about commit spoofing, especially corporate projects in
regulated industries, and the way to handle that is to use and require
commit signing.

> My question:
> It would be much easier if git didn't allow changing the email address
> so easily. Why hasn't git implemented OAuth, or something of that
> sort, for every time that the email address is changed in
> ~/.gitconfig, yet?

This is a local configuration file, so asking someone to implement OAuth
to change a local configuration file wouldn't be helpful.  Many Git
servers are, for example, SSH only, and so OAuth isn't even a
possibility.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204