On Fri, Oct 28, 2016 at 11:17:26AM +1300, Aaron Pelly wrote: > On 28/10/16 10:55, Aaron Pelly wrote: > > 2) I fetch a repo with a hostile ignore file. It includes files from > > $GIT_DIR/test-data/ssl/private or some such. Change. Don't pay > > attention. Commit. Push. Problems if my test data comes from production. > > > > Is this mitigated currently? > > > > Not that git should be an enabler, but surely it falls on the user of > > untrusted software to ensure their own security? > > Balls, I meant $GIT_WORK_TREE not $GIT_DIR I was going to ask what you meant by "currently" here, as we do not yet have an include mechanism, and generally things in the repository are fair game. But I guess you mean that there could be untracked files even inside the repository. I'm not too worried about that in general. You have to be careful of a lot of things inside the repository, like running "make" on malicious code. Adding "don't stick secret files inside the repository, even untracked", does seem like another sensible precaution. The main thing with malicious repositories is that basic inspection like "git clone $remote && git log" should not execute arbitrary code, leak information, etc. -Peff