On 2020-06-11 at 21:25:45, Shreya Malviya wrote: > Hi! > > > I was playing around with git when I realized that it's possible for > me to commit something to a repository as another user (explained a > scenario below for a better understanding of what I mean) and it is > not considered a security vulnerability, understandably so > (https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address). This is GitHub's bug bounty policy, not Git's, but it is definitely an intended feature in Git and not a bug. I should point out that they are separate and independent. > For example, let's assume I have push access to some repository called > AAA, and my email address is abc@xxxxxxx. I can simply edit > ~/.gitconfig on my system and set the email address as some other > person's email address: def@xxxxxxx. Then, I make some changes in my > local repository and commit them (reminder: it's with the email > address def@xxxxxxx since git tracks commits by email address). Now, > if I try to push to the remote repository, it asks for the username > and password. I put mine and since I have push access to AAA, it goes > through. I've successfully pushed commits on behalf of the owner of > the email address: def@xxxxxxx. > > So basically, in this way, I can impersonate people and add commits on > their behalf. BUT AGAIN, this is not considered a vulnerability (link > for reason attached before). In the Git project, users send patches to a mailing list and those patches are applied by a maintainer. When the maintainer applies them, they contain the user's identification and therefore are attributed to that user as the author. This is a common workflow in patch-based projects. Disallowing people from pushing commits that contain another email address would prevent the maintainer from pushing commits authored by others, so Git doesn't do that, although it can be configured with push certificates and a hook if you like. If you are asking why GitHub attributes commits based on email, you'd have to ask them. However, be aware that there are projects that are concerned about commit spoofing, especially corporate projects in regulated industries, and the way to handle that is to use and require commit signing. > My question: > It would be much easier if git didn't allow changing the email address > so easily. Why hasn't git implemented OAuth, or something of that > sort, for every time that the email address is changed in > ~/.gitconfig, yet? This is a local configuration file, so asking someone to implement OAuth to change a local configuration file wouldn't be helpful. Many Git servers are, for example, SSH only, and so OAuth isn't even a possibility. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature
