Re: GIT Hooks and security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> 2013/10/26 Bryan Turner <bturner@xxxxxxxxxxxxx>:
> > No, the .git/hooks directory in your clone is created from your local
> > templates, installed with your Git distribution, not the remote hooks.
> > On Linux distributions, these templates are often in someplace like
> > /usr/share/git-core/templates (for normal packages), and on Windows
> > with msysgit they are in share\git-core\templates under your
> > installation directory. If you look in this directory you will see a
> > hooks directory containing the sample hooks.
> >
> > Hooks from a remote repository are never cloned. As far as I'm aware,
> > nothing from the .git directory (aside from refs and packs, of course)
> > is cloned, including configuration. Your .git directory after a clone
> > is completely new, assembled from scratch. There's nothing in the Git
> > wire protocol (currently) for moving other data like configuration or
> > hooks, and this sort of malicious code injection is one of the reasons
> > I've seen discussed on the list for why that's the case.
> >
> > Hope this helps,
> > Bryan Turner
> >
> >
> > On 26 October 2013 09:25, Olivier Revollat <revollat@xxxxxxxxx> wrote:
> >>
> >> But when someone do a "clone" he don't have .git/hooks directory
> >> downloaded to his local computer ? I thought so ...
> >>
> >> 2013/10/26 Junio C Hamano <gitster@xxxxxxxxx>:
> >> > Olivier Revollat <revollat@xxxxxxxxx> writes:
> >> >
> >> >> I was wondering : What if I had a "malicious" GIT repository who can
> >> >> "inject" code  via git hooks mechanism : someone clone my repo and
> >> >> some malicious code is executed when a certain GIT hook is triggered
> >> >> (for example on commit ("prepare-commit-msg' hook))
> >> >
> >> > In that somebody else's clone, you will not have _your_ malicious
> >> > hook installed, unless that cloner explicitly does something stupid,
> >> > like copying that malicious hook.
> >>
Also copying hooks is relatively low risk, real hackers hide exploits in
1MB configure scripts.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]