Re: Git 2.45.1 - What is the right way to clone with global hooks disabled?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi Junio,

On Thu, 16 May 2024, Junio C Hamano wrote:

> Johannes Schindelin <Johannes.Schindelin@xxxxxx> writes:
> > I plan on sending out a patch series later either today or tomorrow to
> > address a couple of regressions introduced by v2.45.1, and this patch
> > would address your specific scenario:
> >
> > -- snip --
> > diff --git a/config.c b/config.c
> > index 85b37f2ee09..380f7777a6e 100644
> > --- a/config.c
> > +++ b/config.c
> > @@ -1527,6 +1527,7 @@ static int git_default_core_config(const char *var, const char *value, void *cb)
> >
> >  	if (!strcmp(var, "core.hookspath")) {
> >  		if (current_config_scope() == CONFIG_SCOPE_LOCAL &&
> > +		    (!value || (*value && strcmp(value, "/dev/null"))) &&
> >  		    git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0))
> >  			die(_("active `core.hooksPath` found in the local "
> >  			      "repository config:\n\t%s\nFor security "
> This does not make much sense to me.  Why is /dev/null so special,
> compared to say /etc/passwd?
> I do think the defence-in-depth aspect of the other half of what
> went into 2.45.1 and friends, around the "hooks" theme has merit,
> i.e. "any activated hooks in the resulting $GIT_DIR/hooks/ directory
> that is different from what came from the templates directory is
> suspicious".  It has a plausible attack scenario to realize such a
> suspicious configuration by using directory name munging and other
> tricks to confuse "git clone" into thinking what the repository sent
> as a part of its payload belongs to $GIT_DIR/.  It did have fallout
> as the way "git lfs" mucked with user repository's metadata by
> abusing the overly wide trust the user gave to its smudge filter [*]
> crashed directly with the reasoning behind the "hooks must match
> template" protection, which is "Until the clone finishes and gives
> control back to the end user, external influence like hooks must not
> muck with the contents checked out without user's knowledge and
> consent before the user has a chance to inspect the resulting
> repository".  And it is a reasonable expectation to have when
> cloning a repository that has not proven to be trustworthy.  So
> instead of throwing the protection with bathwater, we should add a
> reasonable (i.e. easy to use for "git lfs" developers to follow)
> escape hatch that is a bit more nuanced than "rip out the whole
> protection" revert or "disable all of the GIT_CLONE_PROTECTION
> mechanisms" escape hatch 2.45.1 and friends had.
> But I cannot quite tell what the threat model this "core.hookspath"
> one is trying to protect against.

My thinking was this: if, for whatever reason, it is possible for a `git
clone` to write to the Git directory during a clone (and I had those
submodules and recursive clones in mind, in particular), then an attacker
can not only manipulate Git into writing into the `hooks/` directory, but
they can also reroute `core.hooksPath`. And if we ignore the latter, the
former protections can be side-stepped rather easily.

> If some attacker manages to muck with the configuration file, it is
> already game over, and they have better ways than pointing your
> hookspath to other places to take advantage of their ability to write to
> your configuration file to attack you.

Hmm. You have a good point there. The aforementioned `smudge` filter would
be a prime target.

> So, my recommendation for this one is to just rip the whole new
> logic added in 2.45.1 and friends out of the "core.hookspath"
> handling.

I guess that's the easier path for now.

We should seriously think about better ways to protect against config
manipulations during clone operations, though. In particular with the
current state of the submodule support code, recursive clones continue to
seem like highly likely target for attackers.


> [Footnote]
>  * The user most likely consented only to allow the smudge filter to
>    transform small token recorded in the object store into a large
>    blob taken from elsewhere, which means it can read from the
>    object store and write to the working tree, but the user may not
>    necessarily agreed to give it full read/write/delete/create
>    control over anything in $GIT_dir/ or in the configuration files.

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux