On Wed, 19 Aug 2020 14:47:18 -0400 "Randall S. Becker" <rsbecker@xxxxxxxxxxxxx> wrote: > On August 19, 2020 2:04 PM, Junio C Hamano > > To: Lukas Straub <lukasstraub2@xxxxxx> > > Cc: git <git@xxxxxxxxxxxxxxx>; Elijah Newren <newren@xxxxxxxxx>; > > Brandon Williams <bwilliams.eng@xxxxxxxxx>; Johannes Schindelin > > <Johannes.Schindelin@xxxxxx>; Jeff King <peff@xxxxxxxx> > > Subject: Re: [RFC PATCH 0/2] Allow adding .git files and directories > > > > Lukas Straub <lukasstraub2@xxxxxx> writes: > > > > > These patches allow this and work well in a quick test. Of course some > > > tests fail because with this the handling of nested git repos changed. > > > > In other words, this breaks the workflow existing users rely on, right? I > do > > not know if such a behaviour ever needs to exist even as an opt-in > feature, > > but it definitely feels wrong to make the behaviour these patches > introduce > > the default. > > I am concerned about broader implications. I might be stating the obvious, > but a key security vulnerability that would open up here is to put contents > of files like .git/config into a repository. This capability would allow > scripts to be introduced without the explicit knowledge of the user. While > I'm sure some of the heavy clean/smudge users might appreciate it, this can > represent a vector for the introduction of hostile code into an environment. > While this enhancement seems like a good idea on the surface, if it goes > forward, it should not be the default and should not be under the control of > the upstream repository. You would need loads of warnings about potential > script hazards at the very least presented to the user, beyond what is > already documented in git. This change would not interoperate with JGit - > not that that is a huge concern here, but heavy Jenkins and other pipeline > users could be significantly impacted. > > Just putting my CSIO hat on here. We would need a system-wide setting to > prohibit users from using this capability. Good catch, this is a very valid concern. So at least opt-in via git-config is needed. Regards, Lukas Straub > Sincerely, > Randall > > -- Brief whoami: > NonStop developer since approximately 211288444200000000 > UNIX developer since approximately 421664400 > -- In my real life, I talk too much. > > >
Attachment:
pgpqTs2MmZsRe.pgp
Description: OpenPGP digital signature