From: Jeff King <peff@peff.net>
To: Ryan Lortie <desrt@desrt.ca>
Cc: git@vger.kernel.org, Chris Packham <judge.packham@gmail.com>,
Junio C Hamano <gitster@pobox.com>
Subject: Re: git submodule: update=!command
Date: Tue, 17 Mar 2015 15:50:31 -0400 [thread overview]
Message-ID: <20150317195030.GA18725@peff.net> (raw)
In-Reply-To: <1426620537.1785877.241673949.72FB3B40@webmail.messagingengine.com>
On Tue, Mar 17, 2015 at 03:28:57PM -0400, Ryan Lortie wrote:
> The first is a question about git's basic policy with respect to things
> like this. I hope that it's safe to assume that running 'git' commands
> on repositories downloaded from potentially-hostile places will never
> result in the authors of those repositories being able to run code on my
> machine.
Definitely, our policy is that downloading a git repository should not
result in arbitrary code being run. If there is a case of that, it would
be a serious security bug.
I am not an expert on submodules, but I think the security module there
is:
1. You can do whatever you like in submodule.*.update entries in
.git/config, including arbitrary code. Nobody but the user can
write to it.
2. The submodule code may migrate entries from .gitmodules into
.git/config, but does so with an allow-known-good whitelist (see
git-submodule.sh lines 622-637).
So AFAICT there's no bug here, and the system is working as designed.
It might be worth mentioning that restriction in the submodule
documentation, if only to prevent non-malicious people from wondering
why adding "!foo" does not work in .gitmodules.
> If that is true then, the second request would be to spell this out more
> explicitly in the relevant documentation. I'm happy to write a patch to
> do that, if it is deemed appropriate.
Yeah, spelling out the security model more explicitly would be good.
There is also some subtlety around hooks. Doing:
git clone user@host:/path/to/repo.git local
should never run code controlled by "repo.git" as "user@host". But
doing:
ssh user@host 'cd /path/to/repo.git && git log'
will respect the .git/config in repo.git, which may include arbitrary
commands.
-Peff
next prev parent reply other threads:[~2015-03-17 19:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-17 19:28 git submodule: update=!command Ryan Lortie
2015-03-17 19:50 ` Jeff King [this message]
2015-03-17 20:48 ` Ryan Lortie
2015-03-18 7:38 ` Chris Packham
2015-03-17 20:49 ` Junio C Hamano
2015-03-17 20:59 ` Ryan Lortie
2015-03-17 21:05 ` Junio C Hamano
2015-03-17 21:11 ` Ryan Lortie
2015-03-18 7:43 ` Chris Packham
2015-03-18 7:45 ` Chris Packham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150317195030.GA18725@peff.net \
--to=peff@peff.net \
--cc=desrt@desrt.ca \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=judge.packham@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).