git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Shreya Malviya <shreya.malviya@gmail.com>
To: git@vger.kernel.org
Subject: Question: Setting the Email Address in ~/.gitconfig
Date: Fri, 12 Jun 2020 02:55:45 +0530	[thread overview]
Message-ID: <CAEqpqjGNANrCX0wMDUP+dZ+_PdMveSJf6XFyiCpJdUH5t6jXvw@mail.gmail.com> (raw)

Hi!


I was playing around with git when I realized that it's possible for
me to commit something to a repository as another user (explained a
scenario below for a better understanding of what I mean) and it is
not considered a security vulnerability, understandably so
(https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address).

For example, let's assume I have push access to some repository called
AAA, and my email address is abc@xyz.com. I can simply edit
~/.gitconfig on my system and set the email address as some other
person's email address: def@pqr.com. Then, I make some changes in my
local repository and commit them (reminder: it's with the email
address def@pqr.com since git tracks commits by email address). Now,
if I try to push to the remote repository, it asks for the username
and password. I put mine and since I have push access to AAA, it goes
through. I've successfully pushed commits on behalf of the owner of
the email address: def@pqr.com.

So basically, in this way, I can impersonate people and add commits on
their behalf. BUT AGAIN, this is not considered a vulnerability (link
for reason attached before).

My question:
It would be much easier if git didn't allow changing the email address
so easily. Why hasn't git implemented OAuth, or something of that
sort, for every time that the email address is changed in
~/.gitconfig, yet?


Shreya Malviya

             reply	other threads:[~2020-06-11 21:26 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-11 21:25 Shreya Malviya [this message]
2020-06-11 22:52 ` Question: Setting the Email Address in ~/.gitconfig brian m. carlson
2020-06-13  0:16   ` Aaron Schrab

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAEqpqjGNANrCX0wMDUP+dZ+_PdMveSJf6XFyiCpJdUH5t6jXvw@mail.gmail.com \
    --to=shreya.malviya@gmail.com \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).