git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Taylor Blau <me@ttaylorr.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: "Emily Shaffer" <emilyshaffer@google.com>,
	"Taylor Blau" <me@ttaylorr.com>,
	"Glen Choo" <chooglen@google.com>,
	"Git List" <git@vger.kernel.org>,
	justin@justinsteven.com,
	"Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
	"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
	"Derrick Stolee" <derrickstolee@github.com>,
	"brian m. carlson" <sandals@crustytoothpaste.net>,
	"Randall S. Becker" <rsbecker@nexbridge.com>
Subject: Re: Bare repositories in the working tree are a security risk
Date: Thu, 21 Apr 2022 14:54:43 -0400	[thread overview]
Message-ID: <YmGoc8gwB3W/cfHM@nand.local> (raw)
In-Reply-To: <xmqq4k2mi88p.fsf@gitster.g>

On Thu, Apr 21, 2022 at 11:47:34AM -0700, Junio C Hamano wrote:
> Emily Shaffer <emilyshaffer@google.com> writes:
>
> > Ah, another thing I forgot to mention. There has been a little
> > discussion in the past about isolating "safe" parts of config (and
> > gitdir) from "unsafe" parts, e.g. "which configs and embedded scripts
> > are executables", to help better protect from zipfile-type attacks,
> > which are very similar to this kind of attack. I wonder if it makes
> > sense to consider that sort of thing as a needswork for this bugfix?
> > e.g. "/* NEEDSWORK: Only ignore unsafe configs and hooks instead of
> > ignoring the entire embedded config and hooks in the future */"?
>
> There have been such discussions in the past and they all went
> nowhere because such safe-listing fundamentally does not work.  What
> you consider "safe" today may turn out to be "unsafe" and in a later
> version of Git will stop honoring it, and for those who depended on
> it being listed as "safe", such a security fix will be a regression.
>
> Disabling the whole thing if the file can be tainted is the only
> sensible way forward without promising users that they will be hurt
> by such changes/regressions in the future, I would think.

I assume when Junio says "safe-listing" he is talking about your "which
configs and embedded scripts are executables". I have tossed that idea
around in my own head for a little while, and in addition to the points
that Junio refers to, I think that this could be confusing for users.

I worry about forcing the user to consider which parts of their
config and hooks are being read/ignored, and then re-interpret their
meaning in light of that.

That seems like it would be an unnecessarily tricky position to put
users in, and I think we could get around it by either reading the
config/hooks, or ignoring them entirely.

(It also seems error-prone to me: just trying to list which parts of our
config could lead to command-execution is challenging for me at least.
In addition to the ongoing maintenance cost, a clever attacker would
almost certainly be able to spot some obscure piece of config that we
didn't consider and then use it in their attack.)

Thanks,
Taylor

  reply	other threads:[~2022-04-21 18:55 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-06 22:43 Glen Choo
2022-04-06 23:22 ` [PATCH] fsck: detect bare repos in trees and warn Glen Choo
2022-04-07 12:42   ` Johannes Schindelin
2022-04-07 13:21     ` Derrick Stolee
2022-04-07 14:14       ` Ævar Arnfjörð Bjarmason
2022-04-14 20:02         ` Glen Choo
2022-04-15 12:46           ` Ævar Arnfjörð Bjarmason
2022-04-07 15:11       ` Junio C Hamano
2022-04-13 22:24       ` Glen Choo
2022-04-07 13:12   ` Ævar Arnfjörð Bjarmason
2022-04-07 15:20   ` Junio C Hamano
2022-04-07 18:38 ` Bare repositories in the working tree are a security risk John Cai
2022-04-07 21:24 ` brian m. carlson
2022-04-07 21:53   ` Justin Steven
2022-04-07 22:10     ` brian m. carlson
2022-04-07 22:40       ` rsbecker
2022-04-08  5:54       ` Junio C Hamano
2022-04-14  0:03         ` Junio C Hamano
2022-04-14  0:04         ` Glen Choo
2022-04-13 23:44       ` Glen Choo
2022-04-13 20:37 ` Glen Choo
2022-04-13 23:36   ` Junio C Hamano
2022-04-14 16:41     ` Glen Choo
2022-04-14 17:35       ` Junio C Hamano
2022-04-14 18:19         ` Junio C Hamano
2022-04-15 21:33         ` Glen Choo
2022-04-15 22:17           ` Junio C Hamano
2022-04-16  0:52             ` Taylor Blau
2022-04-15 22:43           ` Glen Choo
2022-04-15 20:13       ` Junio C Hamano
2022-04-15 23:45         ` Glen Choo
2022-04-15 23:59           ` Glen Choo
2022-04-16  1:00           ` Taylor Blau
2022-04-16  1:18             ` Junio C Hamano
2022-04-16  1:30               ` Taylor Blau
2022-04-16  0:34 ` Glen Choo
2022-04-16  0:41 ` Glen Choo
2022-04-16  1:28   ` Taylor Blau
2022-04-21 18:25     ` Emily Shaffer
2022-04-21 18:29       ` Emily Shaffer
2022-04-21 18:47         ` Junio C Hamano
2022-04-21 18:54           ` Taylor Blau [this message]
2022-04-21 19:09       ` Taylor Blau
2022-04-21 21:01         ` Emily Shaffer
2022-04-21 21:22           ` Taylor Blau
2022-04-29 23:57     ` Glen Choo
2022-04-30  1:14       ` Taylor Blau
2022-05-02 19:39         ` Glen Choo
2022-05-02 14:05       ` Philip Oakley
2022-05-02 18:50         ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YmGoc8gwB3W/cfHM@nand.local \
    --to=me@ttaylorr.com \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=avarab@gmail.com \
    --cc=chooglen@google.com \
    --cc=derrickstolee@github.com \
    --cc=emilyshaffer@google.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=justin@justinsteven.com \
    --cc=rsbecker@nexbridge.com \
    --cc=sandals@crustytoothpaste.net \
    --subject='Re: Bare repositories in the working tree are a security risk' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).