From: "Ondřej Bílka" <neleai@seznam.cz>
To: Olivier Revollat <revollat@gmail.com>
Cc: Bryan Turner <bturner@atlassian.com>, Git Users <git@vger.kernel.org>
Subject: Re: GIT Hooks and security
Date: Sat, 26 Oct 2013 11:39:48 +0200 [thread overview]
Message-ID: <20131026093948.GA17645@domone.podge> (raw)
In-Reply-To: <CA+nXgrWBue1A9KBXaRwRPi7qFNsrz8CnoyLrdhbALeo=7xborQ@mail.gmail.com>
> 2013/10/26 Bryan Turner <bturner@atlassian.com>:
> > No, the .git/hooks directory in your clone is created from your local
> > templates, installed with your Git distribution, not the remote hooks.
> > On Linux distributions, these templates are often in someplace like
> > /usr/share/git-core/templates (for normal packages), and on Windows
> > with msysgit they are in share\git-core\templates under your
> > installation directory. If you look in this directory you will see a
> > hooks directory containing the sample hooks.
> >
> > Hooks from a remote repository are never cloned. As far as I'm aware,
> > nothing from the .git directory (aside from refs and packs, of course)
> > is cloned, including configuration. Your .git directory after a clone
> > is completely new, assembled from scratch. There's nothing in the Git
> > wire protocol (currently) for moving other data like configuration or
> > hooks, and this sort of malicious code injection is one of the reasons
> > I've seen discussed on the list for why that's the case.
> >
> > Hope this helps,
> > Bryan Turner
> >
> >
> > On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote:
> >>
> >> But when someone do a "clone" he don't have .git/hooks directory
> >> downloaded to his local computer ? I thought so ...
> >>
> >> 2013/10/26 Junio C Hamano <gitster@pobox.com>:
> >> > Olivier Revollat <revollat@gmail.com> writes:
> >> >
> >> >> I was wondering : What if I had a "malicious" GIT repository who can
> >> >> "inject" code via git hooks mechanism : someone clone my repo and
> >> >> some malicious code is executed when a certain GIT hook is triggered
> >> >> (for example on commit ("prepare-commit-msg' hook))
> >> >
> >> > In that somebody else's clone, you will not have _your_ malicious
> >> > hook installed, unless that cloner explicitly does something stupid,
> >> > like copying that malicious hook.
> >>
Also copying hooks is relatively low risk, real hackers hide exploits in
1MB configure scripts.
prev parent reply other threads:[~2013-10-26 9:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-25 22:02 GIT Hooks and security Olivier Revollat
2013-10-25 22:14 ` Junio C Hamano
2013-10-25 22:25 ` Olivier Revollat
2013-10-26 0:17 ` Bryan Turner
2013-10-26 9:27 ` Olivier Revollat
2013-10-26 9:39 ` Ondřej Bílka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131026093948.GA17645@domone.podge \
--to=neleai@seznam.cz \
--cc=bturner@atlassian.com \
--cc=git@vger.kernel.org \
--cc=revollat@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).