From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: Re: [PATCH v2 5/8] hook(clone protections): add escape hatch
Date: Sat, 18 May 2024 11:54:41 -0700 [thread overview]
Message-ID: <xmqqmsonne6m.fsf@gitster.g> (raw)
In-Reply-To: <20240518181432.GA1570600@coredump.intra.peff.net> (Jeff King's message of "Sat, 18 May 2024 14:14:32 -0400")
Jeff King <peff@peff.net> writes:
> In either case, we're considering config to be a trusted source of
> truth, so I think the security properties are the same. But for the
> system here, a user updating a hook needs to do multiple steps:
>
> - compute the sha256 of the hook (for which we provide no tooling
> support, though hopefully it is obvious how to use other tools)
>
> - add the config for the sha256
>
> - install the new hook into $GIT_DIR/hooks
I am not sure why any of the above is needed.
Hmph.
I was somehow (because that is how "git config --help" explains
"safe.hook.*") led to believe that this "safety" was only about "git
clone would prefer not to run ANY hook before it finishes operation
and gives back the control to the end user, but historically it ran
any enabled hooks in the resulting repository that was freshly
created by it---so let's at least make sure the contents of the
hooks are known-to-be-good ones when 'git clone' runs the hooks".
Most importantly, once "git clone" gives control back to the end
user and the end user had a chance to inspect the resulting
repository, the files in $GIT_DIR/hooks can be updated and the hooks
will run without incurring any cost of checking.
Isn't that what happens?
Looking at the control flow, hook.c:find_hook() is the one that
calls the function is_hook_safe_during_clone() to reject "unsafe"
ones (and allow the white-listed ones), but I do not know offhand
how the code limits the rejection only during clone. So perhaps
this set of patches need further work to restrict the checks only to
"while we are cloning" case?
next prev parent reply other threads:[~2024-05-18 18:54 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-17 23:15 [PATCH 0/8] Various fixes for v2.45.1 and friends Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 1/8] hook: plug a new memory leak Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 2/8] init: use the correct path of the templates directory again Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 3/8] Revert "core.hooksPath: add some protection while cloning" Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 4/8] tests: verify that `clone -c core.hooksPath=/dev/null` works again Johannes Schindelin via GitGitGadget
2024-05-18 0:10 ` Junio C Hamano
2024-05-18 18:58 ` Johannes Schindelin
2024-05-17 23:15 ` [PATCH 5/8] hook(clone protections): add escape hatch Johannes Schindelin via GitGitGadget
2024-05-18 0:21 ` Junio C Hamano
2024-05-17 23:15 ` [PATCH 6/8] hooks(clone protections): special-case current Git LFS hooks Johannes Schindelin via GitGitGadget
2024-05-18 0:20 ` Junio C Hamano
2024-05-17 23:15 ` [PATCH 7/8] hooks(clone protections): simplify templates hooks validation Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 8/8] Revert "Add a helper function to compare file contents" Johannes Schindelin via GitGitGadget
2024-05-17 23:52 ` [PATCH 0/8] Various fixes for v2.45.1 and friends Junio C Hamano
2024-05-18 0:02 ` Johannes Schindelin
2024-05-18 10:32 ` [PATCH v2 " Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 1/8] hook: plug a new memory leak Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 2/8] init: use the correct path of the templates directory again Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 3/8] Revert "core.hooksPath: add some protection while cloning" Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 4/8] tests: verify that `clone -c core.hooksPath=/dev/null` works again Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 5/8] hook(clone protections): add escape hatch Johannes Schindelin via GitGitGadget
2024-05-18 18:14 ` Jeff King
2024-05-18 18:54 ` Junio C Hamano [this message]
2024-05-18 19:35 ` Jeff King
2024-05-18 19:37 ` Johannes Schindelin
2024-05-18 19:32 ` Johannes Schindelin
2024-05-18 19:47 ` Jeff King
2024-05-18 20:06 ` Johannes Schindelin
2024-05-18 21:12 ` Jeff King
2024-05-19 1:15 ` Junio C Hamano
2024-05-20 16:05 ` Johannes Schindelin
2024-05-20 18:18 ` Junio C Hamano
2024-05-20 19:38 ` Johannes Schindelin
2024-05-20 20:07 ` Junio C Hamano
2024-05-20 21:03 ` Johannes Schindelin
2024-05-18 10:32 ` [PATCH v2 6/8] hooks(clone protections): special-case current Git LFS hooks Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 7/8] hooks(clone protections): simplify templates hooks validation Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 8/8] Revert "Add a helper function to compare file contents" Johannes Schindelin via GitGitGadget
2024-05-18 17:07 ` [PATCH v2 0/8] Various fixes for v2.45.1 and friends Junio C Hamano
2024-05-18 19:22 ` Johannes Schindelin
2024-05-18 20:13 ` Johannes Schindelin
2024-05-20 20:21 ` [PATCH v3 0/6] " Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 1/6] hook: plug a new memory leak Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 2/6] init: use the correct path of the templates directory again Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 3/6] Revert "core.hooksPath: add some protection while cloning" Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 4/6] tests: verify that `clone -c core.hooksPath=/dev/null` works again Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 5/6] clone: drop the protections where hooks aren't run Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 6/6] Revert "Add a helper function to compare file contents" Johannes Schindelin via GitGitGadget
2024-05-20 23:56 ` [PATCH v3 0/6] Various fixes for v2.45.1 and friends Junio C Hamano
2024-05-21 5:33 ` Junio C Hamano
2024-05-21 18:14 ` Junio C Hamano
2024-05-21 22:33 ` brian m. carlson
2024-05-21 22:40 ` Junio C Hamano
2024-05-21 23:04 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqmsonne6m.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=johannes.schindelin@gmx.de \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).