On Wed, May 15, 2019 at 08:59:47PM +0200, Ævar Arnfjörð Bjarmason wrote: > > On Wed, May 15 2019, Martin Langhoff wrote: > > > Spotted this on the internet... > > > > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/ > > > > Haven't hacked on git for a while, and I am not affiliated with any of > > the stakeholders. However, reading it, I wanted to slam my head on the > > desk. > > > > IIRC, git will sanely store a password elsewhere if it gets to prompt > > for it. Should we be trying to unpack usernames/passwords from HTTP > > urls, and DTRT with them? > > > > Are there other ways this could be made better? > > I think we should do nothing. I think so, too. But just brainstorming, one thing we _could_ do is issue a warning when we see a password in a URL and say "hey, what you're doing isn't fantastic; considering using a credential helper". Of course I suspect there are many cases where people _do_ need to store the password in plaintext, because an automated system needs to fetch with it. They can use the plaintext git-credential-store, but it's slightly more hassle. And it doesn't really _solve_ the problem (though perhaps it would be harder to accidentally expose it with your web server!). > Or, for GitLab/GitHub etc. to discourage use of https API tokens in > favor of SSH deploy keys. OpenSSH goes out of its way to not allow you > to provide paswords in URLs, on the command-line etc. in anticipation of > exactly this sort of scenario. Even then I've seen users write say > docker images where they manage to hardcode an SSH private key in a > public image out of convenience or lazyness (say needing "git clone" > something during the image build). You can have limited-access https tokens, too. But I don't think those or deploy keys fix the fundamental problem, because that read access is sufficient. The ransom is not "give us bitcoin or we will delete your code, lock you out of your account, etc". Those things can easily be fixed by complaining to the service provider, who has backups. The ransom is "give me bitcoin or I will share your code with the world". So whatever token the server has to do a fetch is enough to steal the code (though I think deploy keys can be repo-specific, and I'm not sure if http tokens are; that expands the attack to _all_ of the user's repos, not just the one the server cares about). I don't know how many people who git by this actually even want to fetch to the server, though. They might just have blindly rsync'd up their local checkout, and the deploy server actually never needed to know about git in the first place. -Peff
