* GIT Hooks and security
@ 2013-10-25 22:02 Olivier Revollat
2013-10-25 22:14 ` Junio C Hamano
0 siblings, 1 reply; 6+ messages in thread
From: Olivier Revollat @ 2013-10-25 22:02 UTC (permalink / raw)
To: git
I was wondering : What if I had a "malicious" GIT repository who can
"inject" code via git hooks mechanism : someone clone my repo and
some malicious code is executed when a certain GIT hook is triggered
(for example on commit ("prepare-commit-msg' hook)) ? What if I email
/etc/passwd for exemple ?
Does GIT's hooks security is assured by the GIT user privileges ? but
git user can still read /etc/passwd and make something fun with it :)
Is it by the trust relationship ? I mean, If I clone a repo, I
certainly knew the source and I trusted it ... isn't it ?
But if I have a website with file injection vulnerability and I can
replace the git hook script with another (malicious) content ...
I'm maybe "paranoid" :) but I'm just asking the question ... just for
my curiosity's sake :)
Thanks for your comments and explanations :)
--
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
percent imagination.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: GIT Hooks and security 2013-10-25 22:02 GIT Hooks and security Olivier Revollat @ 2013-10-25 22:14 ` Junio C Hamano 2013-10-25 22:25 ` Olivier Revollat 0 siblings, 1 reply; 6+ messages in thread From: Junio C Hamano @ 2013-10-25 22:14 UTC (permalink / raw) To: Olivier Revollat; +Cc: git Olivier Revollat <revollat@gmail.com> writes: > I was wondering : What if I had a "malicious" GIT repository who can > "inject" code via git hooks mechanism : someone clone my repo and > some malicious code is executed when a certain GIT hook is triggered > (for example on commit ("prepare-commit-msg' hook)) In that somebody else's clone, you will not have _your_ malicious hook installed, unless that cloner explicitly does something stupid, like copying that malicious hook. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: GIT Hooks and security 2013-10-25 22:14 ` Junio C Hamano @ 2013-10-25 22:25 ` Olivier Revollat 2013-10-26 0:17 ` Bryan Turner 0 siblings, 1 reply; 6+ messages in thread From: Olivier Revollat @ 2013-10-25 22:25 UTC (permalink / raw) To: Junio C Hamano; +Cc: git But when someone do a "clone" he don't have .git/hooks directory downloaded to his local computer ? I thought so ... 2013/10/26 Junio C Hamano <gitster@pobox.com>: > Olivier Revollat <revollat@gmail.com> writes: > >> I was wondering : What if I had a "malicious" GIT repository who can >> "inject" code via git hooks mechanism : someone clone my repo and >> some malicious code is executed when a certain GIT hook is triggered >> (for example on commit ("prepare-commit-msg' hook)) > > In that somebody else's clone, you will not have _your_ malicious > hook installed, unless that cloner explicitly does something stupid, > like copying that malicious hook. -- Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: GIT Hooks and security 2013-10-25 22:25 ` Olivier Revollat @ 2013-10-26 0:17 ` Bryan Turner 2013-10-26 9:27 ` Olivier Revollat 0 siblings, 1 reply; 6+ messages in thread From: Bryan Turner @ 2013-10-26 0:17 UTC (permalink / raw) To: Olivier Revollat; +Cc: Git Users No, the .git/hooks directory in your clone is created from your local templates, installed with your Git distribution, not the remote hooks. On Linux distributions, these templates are often in someplace like /usr/share/git-core/templates (for normal packages), and on Windows with msysgit they are in share\git-core\templates under your installation directory. If you look in this directory you will see a hooks directory containing the sample hooks. Hooks from a remote repository are never cloned. As far as I'm aware, nothing from the .git directory (aside from refs and packs, of course) is cloned, including configuration. Your .git directory after a clone is completely new, assembled from scratch. There's nothing in the Git wire protocol (currently) for moving other data like configuration or hooks, and this sort of malicious code injection is one of the reasons I've seen discussed on the list for why that's the case. Hope this helps, Bryan Turner On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote: > > But when someone do a "clone" he don't have .git/hooks directory > downloaded to his local computer ? I thought so ... > > 2013/10/26 Junio C Hamano <gitster@pobox.com>: > > Olivier Revollat <revollat@gmail.com> writes: > > > >> I was wondering : What if I had a "malicious" GIT repository who can > >> "inject" code via git hooks mechanism : someone clone my repo and > >> some malicious code is executed when a certain GIT hook is triggered > >> (for example on commit ("prepare-commit-msg' hook)) > > > > In that somebody else's clone, you will not have _your_ malicious > > hook installed, unless that cloner explicitly does something stupid, > > like copying that malicious hook. > > > > -- > Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 > percent imagination. > -- > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: GIT Hooks and security 2013-10-26 0:17 ` Bryan Turner @ 2013-10-26 9:27 ` Olivier Revollat 2013-10-26 9:39 ` Ondřej Bílka 0 siblings, 1 reply; 6+ messages in thread From: Olivier Revollat @ 2013-10-26 9:27 UTC (permalink / raw) To: Bryan Turner; +Cc: Git Users Very helpful :) thanks ! 2013/10/26 Bryan Turner <bturner@atlassian.com>: > No, the .git/hooks directory in your clone is created from your local > templates, installed with your Git distribution, not the remote hooks. > On Linux distributions, these templates are often in someplace like > /usr/share/git-core/templates (for normal packages), and on Windows > with msysgit they are in share\git-core\templates under your > installation directory. If you look in this directory you will see a > hooks directory containing the sample hooks. > > Hooks from a remote repository are never cloned. As far as I'm aware, > nothing from the .git directory (aside from refs and packs, of course) > is cloned, including configuration. Your .git directory after a clone > is completely new, assembled from scratch. There's nothing in the Git > wire protocol (currently) for moving other data like configuration or > hooks, and this sort of malicious code injection is one of the reasons > I've seen discussed on the list for why that's the case. > > Hope this helps, > Bryan Turner > > > On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote: >> >> But when someone do a "clone" he don't have .git/hooks directory >> downloaded to his local computer ? I thought so ... >> >> 2013/10/26 Junio C Hamano <gitster@pobox.com>: >> > Olivier Revollat <revollat@gmail.com> writes: >> > >> >> I was wondering : What if I had a "malicious" GIT repository who can >> >> "inject" code via git hooks mechanism : someone clone my repo and >> >> some malicious code is executed when a certain GIT hook is triggered >> >> (for example on commit ("prepare-commit-msg' hook)) >> > >> > In that somebody else's clone, you will not have _your_ malicious >> > hook installed, unless that cloner explicitly does something stupid, >> > like copying that malicious hook. >> >> >> >> -- >> Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 >> percent imagination. >> -- >> To unsubscribe from this list: send the line "unsubscribe git" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: GIT Hooks and security 2013-10-26 9:27 ` Olivier Revollat @ 2013-10-26 9:39 ` Ondřej Bílka 0 siblings, 0 replies; 6+ messages in thread From: Ondřej Bílka @ 2013-10-26 9:39 UTC (permalink / raw) To: Olivier Revollat; +Cc: Bryan Turner, Git Users > 2013/10/26 Bryan Turner <bturner@atlassian.com>: > > No, the .git/hooks directory in your clone is created from your local > > templates, installed with your Git distribution, not the remote hooks. > > On Linux distributions, these templates are often in someplace like > > /usr/share/git-core/templates (for normal packages), and on Windows > > with msysgit they are in share\git-core\templates under your > > installation directory. If you look in this directory you will see a > > hooks directory containing the sample hooks. > > > > Hooks from a remote repository are never cloned. As far as I'm aware, > > nothing from the .git directory (aside from refs and packs, of course) > > is cloned, including configuration. Your .git directory after a clone > > is completely new, assembled from scratch. There's nothing in the Git > > wire protocol (currently) for moving other data like configuration or > > hooks, and this sort of malicious code injection is one of the reasons > > I've seen discussed on the list for why that's the case. > > > > Hope this helps, > > Bryan Turner > > > > > > On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote: > >> > >> But when someone do a "clone" he don't have .git/hooks directory > >> downloaded to his local computer ? I thought so ... > >> > >> 2013/10/26 Junio C Hamano <gitster@pobox.com>: > >> > Olivier Revollat <revollat@gmail.com> writes: > >> > > >> >> I was wondering : What if I had a "malicious" GIT repository who can > >> >> "inject" code via git hooks mechanism : someone clone my repo and > >> >> some malicious code is executed when a certain GIT hook is triggered > >> >> (for example on commit ("prepare-commit-msg' hook)) > >> > > >> > In that somebody else's clone, you will not have _your_ malicious > >> > hook installed, unless that cloner explicitly does something stupid, > >> > like copying that malicious hook. > >> Also copying hooks is relatively low risk, real hackers hide exploits in 1MB configure scripts. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-10-26 9:39 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-10-25 22:02 GIT Hooks and security Olivier Revollat 2013-10-25 22:14 ` Junio C Hamano 2013-10-25 22:25 ` Olivier Revollat 2013-10-26 0:17 ` Bryan Turner 2013-10-26 9:27 ` Olivier Revollat 2013-10-26 9:39 ` Ondřej Bílka
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).