On 2024-01-10 at 12:05:31, Jeff King wrote: > My thinking is to flip that around: run all code, but put protection in > the spots that do unsafe things, like loading config or examining > hooks. I.e., a patch like this: I think that's much what I had intended to do with not invoking binaries at all, except that it was limited to rev-parse. I wonder if perhaps we could do something similar if we had the `--assume-unsafe` argument you proposed, except that we would only allow the `git` binary and always pass that argument to it in such a case. I don't think reading config is intrinsically unsafe; it's more of what we do with it, which is spawning external processes, that's the problem. I suppose an argument could be made for injecting terminal sequences or such, though. Hooks, obviously, are definitely unsafe. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
