From: Bryan Turner <bturner@atlassian.com>
To: Olivier Revollat <revollat@gmail.com>
Cc: Git Users <git@vger.kernel.org>
Subject: Re: GIT Hooks and security
Date: Sat, 26 Oct 2013 11:17:33 +1100 [thread overview]
Message-ID: <CAGyf7-HCEQy2hUnc6UvABDrwYatoUEiPnpXo-e9_8wtbhvN0mw@mail.gmail.com> (raw)
In-Reply-To: <CA+nXgrUcpfya+rTPzfRafzJbK1khNqtz-HsaKeGfdA86AepKEg@mail.gmail.com>
No, the .git/hooks directory in your clone is created from your local
templates, installed with your Git distribution, not the remote hooks.
On Linux distributions, these templates are often in someplace like
/usr/share/git-core/templates (for normal packages), and on Windows
with msysgit they are in share\git-core\templates under your
installation directory. If you look in this directory you will see a
hooks directory containing the sample hooks.
Hooks from a remote repository are never cloned. As far as I'm aware,
nothing from the .git directory (aside from refs and packs, of course)
is cloned, including configuration. Your .git directory after a clone
is completely new, assembled from scratch. There's nothing in the Git
wire protocol (currently) for moving other data like configuration or
hooks, and this sort of malicious code injection is one of the reasons
I've seen discussed on the list for why that's the case.
Hope this helps,
Bryan Turner
On 26 October 2013 09:25, Olivier Revollat <revollat@gmail.com> wrote:
>
> But when someone do a "clone" he don't have .git/hooks directory
> downloaded to his local computer ? I thought so ...
>
> 2013/10/26 Junio C Hamano <gitster@pobox.com>:
> > Olivier Revollat <revollat@gmail.com> writes:
> >
> >> I was wondering : What if I had a "malicious" GIT repository who can
> >> "inject" code via git hooks mechanism : someone clone my repo and
> >> some malicious code is executed when a certain GIT hook is triggered
> >> (for example on commit ("prepare-commit-msg' hook))
> >
> > In that somebody else's clone, you will not have _your_ malicious
> > hook installed, unless that cloner explicitly does something stupid,
> > like copying that malicious hook.
>
>
>
> --
> Mathematics is made of 50 percent formulas, 50 percent proofs, and 50
> percent imagination.
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-10-26 0:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-25 22:02 GIT Hooks and security Olivier Revollat
2013-10-25 22:14 ` Junio C Hamano
2013-10-25 22:25 ` Olivier Revollat
2013-10-26 0:17 ` Bryan Turner [this message]
2013-10-26 9:27 ` Olivier Revollat
2013-10-26 9:39 ` Ondřej Bílka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGyf7-HCEQy2hUnc6UvABDrwYatoUEiPnpXo-e9_8wtbhvN0mw@mail.gmail.com \
--to=bturner@atlassian.com \
--cc=git@vger.kernel.org \
--cc=revollat@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).