On Thu, Apr 21, 2022 at 11:47:34AM -0700, Junio C Hamano wrote: > Emily Shaffer <emilyshaffer@xxxxxxxxxx> writes: > > > Ah, another thing I forgot to mention. There has been a little > > discussion in the past about isolating "safe" parts of config (and > > gitdir) from "unsafe" parts, e.g. "which configs and embedded scripts > > are executables", to help better protect from zipfile-type attacks, > > which are very similar to this kind of attack. I wonder if it makes > > sense to consider that sort of thing as a needswork for this bugfix? > > e.g. "/* NEEDSWORK: Only ignore unsafe configs and hooks instead of > > ignoring the entire embedded config and hooks in the future */"? > > There have been such discussions in the past and they all went > nowhere because such safe-listing fundamentally does not work. What > you consider "safe" today may turn out to be "unsafe" and in a later > version of Git will stop honoring it, and for those who depended on > it being listed as "safe", such a security fix will be a regression. > > Disabling the whole thing if the file can be tainted is the only > sensible way forward without promising users that they will be hurt > by such changes/regressions in the future, I would think. I assume when Junio says "safe-listing" he is talking about your "which configs and embedded scripts are executables". I have tossed that idea around in my own head for a little while, and in addition to the points that Junio refers to, I think that this could be confusing for users. I worry about forcing the user to consider which parts of their config and hooks are being read/ignored, and then re-interpret their meaning in light of that. That seems like it would be an unnecessarily tricky position to put users in, and I think we could get around it by either reading the config/hooks, or ignoring them entirely. (It also seems error-prone to me: just trying to list which parts of our config could lead to command-execution is challenging for me at least. In addition to the ongoing maintenance cost, a clever attacker would almost certainly be able to spot some obscure piece of config that we didn't consider and then use it in their attack.) Thanks, Taylor
