"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > On 2024-01-10 at 12:05:31, Jeff King wrote: >> My thinking is to flip that around: run all code, but put protection in >> the spots that do unsafe things, like loading config or examining >> hooks. I.e., a patch like this: > > I think that's much what I had intended to do with not invoking binaries > at all, except that it was limited to rev-parse. I wonder if perhaps we > could do something similar if we had the `--assume-unsafe` argument you > proposed, except that we would only allow the `git` binary and always > pass that argument to it in such a case. > > I don't think reading config is intrinsically unsafe; it's more of what > we do with it, which is spawning external processes, that's the problem. > I suppose an argument could be made for injecting terminal sequences or > such, though. Hooks, obviously, are definitely unsafe. Sure. And we allow the location of hook programs to be specified as configuration variable values, which would make the config even more dangerous X-<.
