On Thu, Jan 11, 2024 at 02:28:51PM +0100, Stefan Haller wrote: > On 10.01.24 12:08, Jeff King wrote: > > On Mon, Jan 08, 2024 at 10:20:00AM -0800, Junio C Hamano wrote: > > > >> An obvious alternative is to have .lazygit directory next to .git directory > >> which would give you a bigger separation, which can cut both ways. > > > > Just to spell out one of those ways: unlike ".git", we will happily > > check out ".lazygit" from an untrusted remote repository. That may be a > > feature if you want to be able to share project-specific config, or it > > might be a terrible security vulnerability if lazygit config files can > > trigger arbitrary code execution. > > Unless you don't version it and add it to .gitignore instead, which (I > suppose) is what most people do with their .vscode/settings.json, for > example. A .gitignore will help with people accidentally adding their .lazygit directory. What I meant, though, was somebody _intentionally_ creating a malicious repository that would then execute arbitrary code when the victim cloned it. We prevent that from happening with .git/config because there's special handling that refuses to check out the name ".git" (or other filesystem-equivalent names). But ".lazygit" would not have that same protection. -Peff
