GIT Hooks and security

GIT Hooks and security

[Olivier Revollat]

I was wondering : What if I had a "malicious" GIT repository who can
"inject" code  via git hooks mechanism : someone clone my repo and
some malicious code is executed when a certain GIT hook is triggered
(for example on commit ("prepare-commit-msg' hook)) ? What if I email
/etc/passwd for exemple ?

Does GIT's hooks security is assured by the GIT user privileges ? but
git user can still read /etc/passwd and make something fun with it :)

Is it by the trust relationship ? I mean, If I clone a repo, I
certainly knew the source and I trusted it ... isn't it ?
But if I have a website with file injection vulnerability and I can
replace the git hook script with another (malicious) content ...

I'm maybe "paranoid" :) but I'm just asking the question ... just for
my curiosity's sake :)

Thanks for your comments and explanations :)

-- 

Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
percent imagination.

Re: GIT Hooks and security

[Junio C Hamano]

Olivier Revollat <revollat@gmail.com> writes:

> I was wondering : What if I had a "malicious" GIT repository who can
> "inject" code  via git hooks mechanism : someone clone my repo and
> some malicious code is executed when a certain GIT hook is triggered
> (for example on commit ("prepare-commit-msg' hook))

In that somebody else's clone, you will not have _your_ malicious
hook installed, unless that cloner explicitly does something stupid,
like copying that malicious hook.

Re: GIT Hooks and security

[Olivier Revollat]

But when someone do a "clone" he don't have .git/hooks directory
downloaded to his local computer ? I thought so ...

2013/10/26 Junio C Hamano <gitster@pobox.com>:
> Olivier Revollat <revollat@gmail.com> writes:
>
>> I was wondering : What if I had a "malicious" GIT repository who can
>> "inject" code  via git hooks mechanism : someone clone my repo and
>> some malicious code is executed when a certain GIT hook is triggered
>> (for example on commit ("prepare-commit-msg' hook))
>
> In that somebody else's clone, you will not have _your_ malicious
> hook installed, unless that cloner explicitly does something stupid,
> like copying that malicious hook.



-- 
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
percent imagination.

Re: GIT Hooks and security

[Bryan Turner]

No, the .git/hooks directory in your clone is created from your local
templates, installed with your Git distribution, not the remote hooks.
On Linux distributions, these templates are often in someplace like
/usr/share/git-core/templates (for normal packages), and on Windows
with msysgit they are in share\git-core\templates under your
installation directory. If you look in this directory you will see a
hooks directory containing the sample hooks.

Hooks from a remote repository are never cloned. As far as I'm aware,
nothing from the .git directory (aside from refs and packs, of course)
is cloned, including configuration. Your .git directory after a clone
is completely new, assembled from scratch. There's nothing in the Git
wire protocol (currently) for moving other data like configuration or
hooks, and this sort of malicious code injection is one of the reasons
I've seen discussed on the list for why that's the case.

Hope this helps,
Bryan Turner


On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote:
>
> But when someone do a "clone" he don't have .git/hooks directory
> downloaded to his local computer ? I thought so ...
>
> 2013/10/26 Junio C Hamano <gitster@pobox.com>:
> > Olivier Revollat <revollat@gmail.com> writes:
> >
> >> I was wondering : What if I had a "malicious" GIT repository who can
> >> "inject" code  via git hooks mechanism : someone clone my repo and
> >> some malicious code is executed when a certain GIT hook is triggered
> >> (for example on commit ("prepare-commit-msg' hook))
> >
> > In that somebody else's clone, you will not have _your_ malicious
> > hook installed, unless that cloner explicitly does something stupid,
> > like copying that malicious hook.
>
>
>
> --
> Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
> percent imagination.
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: GIT Hooks and security

[Olivier Revollat]

Very helpful :) thanks !

2013/10/26 Bryan Turner <bturner@atlassian.com>:
> No, the .git/hooks directory in your clone is created from your local
> templates, installed with your Git distribution, not the remote hooks.
> On Linux distributions, these templates are often in someplace like
> /usr/share/git-core/templates (for normal packages), and on Windows
> with msysgit they are in share\git-core\templates under your
> installation directory. If you look in this directory you will see a
> hooks directory containing the sample hooks.
>
> Hooks from a remote repository are never cloned. As far as I'm aware,
> nothing from the .git directory (aside from refs and packs, of course)
> is cloned, including configuration. Your .git directory after a clone
> is completely new, assembled from scratch. There's nothing in the Git
> wire protocol (currently) for moving other data like configuration or
> hooks, and this sort of malicious code injection is one of the reasons
> I've seen discussed on the list for why that's the case.
>
> Hope this helps,
> Bryan Turner
>
>
> On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote:
>>
>> But when someone do a "clone" he don't have .git/hooks directory
>> downloaded to his local computer ? I thought so ...
>>
>> 2013/10/26 Junio C Hamano <gitster@pobox.com>:
>> > Olivier Revollat <revollat@gmail.com> writes:
>> >
>> >> I was wondering : What if I had a "malicious" GIT repository who can
>> >> "inject" code  via git hooks mechanism : someone clone my repo and
>> >> some malicious code is executed when a certain GIT hook is triggered
>> >> (for example on commit ("prepare-commit-msg' hook))
>> >
>> > In that somebody else's clone, you will not have _your_ malicious
>> > hook installed, unless that cloner explicitly does something stupid,
>> > like copying that malicious hook.
>>
>>
>>
>> --
>> Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
>> percent imagination.
>> --
>> To unsubscribe from this list: send the line "unsubscribe git" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
percent imagination.

Re: GIT Hooks and security

[Ondřej Bílka]

> 2013/10/26 Bryan Turner <bturner@atlassian.com>:
> > No, the .git/hooks directory in your clone is created from your local
> > templates, installed with your Git distribution, not the remote hooks.
> > On Linux distributions, these templates are often in someplace like
> > /usr/share/git-core/templates (for normal packages), and on Windows
> > with msysgit they are in share\git-core\templates under your
> > installation directory. If you look in this directory you will see a
> > hooks directory containing the sample hooks.
> >
> > Hooks from a remote repository are never cloned. As far as I'm aware,
> > nothing from the .git directory (aside from refs and packs, of course)
> > is cloned, including configuration. Your .git directory after a clone
> > is completely new, assembled from scratch. There's nothing in the Git
> > wire protocol (currently) for moving other data like configuration or
> > hooks, and this sort of malicious code injection is one of the reasons
> > I've seen discussed on the list for why that's the case.
> >
> > Hope this helps,
> > Bryan Turner
> >
> >
> > On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote:
> >>
> >> But when someone do a "clone" he don't have .git/hooks directory
> >> downloaded to his local computer ? I thought so ...
> >>
> >> 2013/10/26 Junio C Hamano <gitster@pobox.com>:
> >> > Olivier Revollat <revollat@gmail.com> writes:
> >> >
> >> >> I was wondering : What if I had a "malicious" GIT repository who can
> >> >> "inject" code  via git hooks mechanism : someone clone my repo and
> >> >> some malicious code is executed when a certain GIT hook is triggered
> >> >> (for example on commit ("prepare-commit-msg' hook))
> >> >
> >> > In that somebody else's clone, you will not have _your_ malicious
> >> > hook installed, unless that cloner explicitly does something stupid,
> >> > like copying that malicious hook.
> >>
Also copying hooks is relatively low risk, real hackers hide exploits in
1MB configure scripts.