From: Jeff King <peff@peff.net>
To: Ryan Lortie <desrt@desrt.ca>
Cc: git@vger.kernel.org, Chris Packham <judge.packham@gmail.com>,
Junio C Hamano <gitster@pobox.com>
Subject: Re: git submodule: update=!command
Date: Tue, 17 Mar 2015 15:50:31 -0400 [thread overview]
Message-ID: <20150317195030.GA18725@peff.net> (raw)
In-Reply-To: <1426620537.1785877.241673949.72FB3B40@webmail.messagingengine.com>
On Tue, Mar 17, 2015 at 03:28:57PM -0400, Ryan Lortie wrote:
> The first is a question about git's basic policy with respect to things
> like this. I hope that it's safe to assume that running 'git' commands
> on repositories downloaded from potentially-hostile places will never
> result in the authors of those repositories being able to run code on my
> machine.
Definitely, our policy is that downloading a git repository should not
result in arbitrary code being run. If there is a case of that, it would
be a serious security bug.
I am not an expert on submodules, but I think the security module there
is:
1. You can do whatever you like in submodule.*.update entries in
.git/config, including arbitrary code. Nobody but the user can
write to it.
2. The submodule code may migrate entries from .gitmodules into
.git/config, but does so with an allow-known-good whitelist (see
git-submodule.sh lines 622-637).
So AFAICT there's no bug here, and the system is working as designed.
It might be worth mentioning that restriction in the submodule
documentation, if only to prevent non-malicious people from wondering
why adding "!foo" does not work in .gitmodules.
> If that is true then, the second request would be to spell this out more
> explicitly in the relevant documentation. I'm happy to write a patch to
> do that, if it is deemed appropriate.
Yeah, spelling out the security model more explicitly would be good.
There is also some subtlety around hooks. Doing:
git clone user@host:/path/to/repo.git local
should never run code controlled by "repo.git" as "user@host". But
doing:
ssh user@host 'cd /path/to/repo.git && git log'
will respect the .git/config in repo.git, which may include arbitrary
commands.
-Peff
next prev parent reply other threads:[~2015-03-17 19:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-17 19:28 git submodule: update=!command Ryan Lortie
2015-03-17 19:50 ` Jeff King [this message]
2015-03-17 20:48 ` Ryan Lortie
2015-03-18 7:38 ` Chris Packham
2015-03-17 20:49 ` Junio C Hamano
2015-03-17 20:59 ` Ryan Lortie
2015-03-17 21:05 ` Junio C Hamano
2015-03-17 21:11 ` Ryan Lortie
2015-03-18 7:43 ` Chris Packham
2015-03-18 7:45 ` Chris Packham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150317195030.GA18725@peff.net \
--to=peff@peff.net \
--cc=desrt@desrt.ca \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=judge.packham@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.