On Tue, Jan 14, 2020 at 02:48:05PM +0000, 1234dev wrote: > Let's say you're working with a team of elite hackers, passing a > tarball of a Git repo back and forth as you complete your mission. Now > let's say one of them has malicious intent. What are the possibilities > that he or she can, for instance, hide changes made to a script or > binary that does something malicious if executed? Or perhaps maybe > there are other such scenarios one should be made aware of? It is absolutely not safe to run Git commands from a tarball of an untrusted repo. There are many ways to execute arbitrary code specified by a config option, and you'd be getting recipients .git/config. Likewise for hooks. And while we would consider it a bug if you can trigger a memory error by reading a corrupted or malicious on-disk file, that's gotten _way_ less auditing than the code paths which take in objects from a remote. So e.g., I would not be surprised if there are vulnerabilities that could cause out-of-bounds reads of a corrupted .git/index. -Peff
