On Tue, Mar 17, 2015 at 03:28:57PM -0400, Ryan Lortie wrote:
> The first is a question about git's basic policy with respect to things
> like this. I hope that it's safe to assume that running 'git' commands
> on repositories downloaded from potentially-hostile places will never
> result in the authors of those repositories being able to run code on my
> machine.
Definitely, our policy is that downloading a git repository should not
result in arbitrary code being run. If there is a case of that, it would
be a serious security bug.
I am not an expert on submodules, but I think the security module there
is:
1. You can do whatever you like in submodule.*.update entries in
.git/config, including arbitrary code. Nobody but the user can
write to it.
2. The submodule code may migrate entries from .gitmodules into
.git/config, but does so with an allow-known-good whitelist (see
git-submodule.sh lines 622-637).
So AFAICT there's no bug here, and the system is working as designed.
It might be worth mentioning that restriction in the submodule
documentation, if only to prevent non-malicious people from wondering
why adding "!foo" does not work in .gitmodules.
> If that is true then, the second request would be to spell this out more
> explicitly in the relevant documentation. I'm happy to write a patch to
> do that, if it is deemed appropriate.
Yeah, spelling out the security model more explicitly would be good.
There is also some subtlety around hooks. Doing:
git clone user@host:/path/to/repo.git local
should never run code controlled by "repo.git" as "user@host". But
doing:
ssh user@host 'cd /path/to/repo.git && git log'
will respect the .git/config in repo.git, which may include arbitrary
commands.
-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html