Re: [RFC PATCH 0/2] Allow adding .git files and directories

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 19 Aug 2020 14:47:18 -0400
"Randall S. Becker" <rsbecker@xxxxxxxxxxxxx> wrote:

> On August 19, 2020 2:04 PM, Junio C Hamano
> > To: Lukas Straub <lukasstraub2@xxxxxx>
> > Cc: git <git@xxxxxxxxxxxxxxx>; Elijah Newren <newren@xxxxxxxxx>;
> > Brandon Williams <bwilliams.eng@xxxxxxxxx>; Johannes Schindelin
> > <Johannes.Schindelin@xxxxxx>; Jeff King <peff@xxxxxxxx>
> > Subject: Re: [RFC PATCH 0/2] Allow adding .git files and directories
> > 
> > Lukas Straub <lukasstraub2@xxxxxx> writes:
> >   
> > > These patches allow this and work well in a quick test. Of course some
> > > tests fail because with this the handling of nested git repos changed.  
> > 
> > In other words, this breaks the workflow existing users rely on, right?  I  
> do
> > not know if such a behaviour ever needs to exist even as an opt-in  
> feature,
> > but it definitely feels wrong to make the behaviour these patches  
> introduce
> > the default.  
> 
> I am concerned about broader implications. I might be stating the obvious,
> but a key security vulnerability that would open up here is to put contents
> of files like .git/config into a repository. This capability would allow
> scripts to be introduced without the explicit knowledge of the user. While
> I'm sure some of the heavy clean/smudge users might appreciate it, this can
> represent a vector for the introduction of hostile code into an environment.
> While this enhancement seems like a good idea on the surface, if it goes
> forward, it should not be the default and should not be under the control of
> the upstream repository. You would need loads of warnings about potential
> script hazards at the very least presented to the user, beyond what is
> already documented in git. This change would not interoperate with JGit -
> not that that is a huge concern here, but heavy Jenkins and other pipeline
> users could be significantly impacted.
> 
> Just putting my CSIO hat on here. We would need a system-wide setting to
> prohibit users from using this capability.

Good catch, this is a very valid concern. So at least opt-in via git-config is needed.

Regards,
Lukas Straub

> Sincerely,
> Randall
> 
> -- Brief whoami:
>  NonStop developer since approximately 211288444200000000
>  UNIX developer since approximately 421664400
> -- In my real life, I talk too much.
> 
> 
>

Attachment: pgpqTs2MmZsRe.pgp
Description: OpenPGP digital signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux