git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: "Randall S. Becker" <rsbecker@nexbridge.com>
To: "'Junio C Hamano'" <gitster@pobox.com>,
	"'Lukas Straub'" <lukasstraub2@web.de>
Cc: "'git'" <git@vger.kernel.org>,
	"'Elijah Newren'" <newren@gmail.com>,
	"'Brandon Williams'" <bwilliams.eng@gmail.com>,
	"'Johannes Schindelin'" <Johannes.Schindelin@gmx.de>,
	"'Jeff King'" <peff@peff.net>
Subject: RE: [RFC PATCH 0/2] Allow adding .git files and directories
Date: Wed, 19 Aug 2020 14:47:18 -0400	[thread overview]
Message-ID: <04aa01d67659$2dc217b0$89464710$@nexbridge.com> (raw)
In-Reply-To: <xmqqr1s2tswd.fsf@gitster.c.googlers.com>

On August 19, 2020 2:04 PM, Junio C Hamano
> To: Lukas Straub <lukasstraub2@web.de>
> Cc: git <git@vger.kernel.org>; Elijah Newren <newren@gmail.com>;
> Brandon Williams <bwilliams.eng@gmail.com>; Johannes Schindelin
> <Johannes.Schindelin@gmx.de>; Jeff King <peff@peff.net>
> Subject: Re: [RFC PATCH 0/2] Allow adding .git files and directories
> 
> Lukas Straub <lukasstraub2@web.de> writes:
> 
> > These patches allow this and work well in a quick test. Of course some
> > tests fail because with this the handling of nested git repos changed.
> 
> In other words, this breaks the workflow existing users rely on, right?  I
do
> not know if such a behaviour ever needs to exist even as an opt-in
feature,
> but it definitely feels wrong to make the behaviour these patches
introduce
> the default.

I am concerned about broader implications. I might be stating the obvious,
but a key security vulnerability that would open up here is to put contents
of files like .git/config into a repository. This capability would allow
scripts to be introduced without the explicit knowledge of the user. While
I'm sure some of the heavy clean/smudge users might appreciate it, this can
represent a vector for the introduction of hostile code into an environment.
While this enhancement seems like a good idea on the surface, if it goes
forward, it should not be the default and should not be under the control of
the upstream repository. You would need loads of warnings about potential
script hazards at the very least presented to the user, beyond what is
already documented in git. This change would not interoperate with JGit -
not that that is a huge concern here, but heavy Jenkins and other pipeline
users could be significantly impacted.

Just putting my CSIO hat on here. We would need a system-wide setting to
prohibit users from using this capability.

Sincerely,
Randall

-- Brief whoami:
 NonStop developer since approximately 211288444200000000
 UNIX developer since approximately 421664400
-- In my real life, I talk too much.




  reply	other threads:[~2020-08-19 18:47 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-19 16:43 Lukas Straub
2020-08-19 16:43 ` [RFC PATCH 1/2] dir/read-cache: " Lukas Straub
2020-08-19 16:43 ` [RFC PATCH 2/2] dir: Recurse into nested git repos if they aren't submodules Lukas Straub
2020-08-19 18:03 ` [RFC PATCH 0/2] Allow adding .git files and directories Junio C Hamano
2020-08-19 18:47   ` Randall S. Becker [this message]
2020-08-19 19:09     ` Junio C Hamano
2020-08-19 19:23       ` Randall S. Becker
2020-08-19 20:17       ` Jeff King
2020-08-19 20:32         ` Junio C Hamano
2020-08-19 20:38           ` Jeff King
2020-08-19 21:56             ` Randall S. Becker
2020-08-20 10:16             ` Johannes Schindelin
2020-08-20 11:34             ` Lukas Straub
2020-08-20 13:01               ` Jeff King
2020-08-21 12:39                 ` Lukas Straub
2020-08-21 13:11                   ` Randall S. Becker
2020-08-21 22:52                   ` brian m. carlson
2020-08-22 14:21                     ` Lukas Straub
2020-08-22 18:53                       ` brian m. carlson
2020-08-22 19:12                         ` Lukas Straub
2020-08-24 13:52                           ` Johannes Schindelin
2020-08-20 12:37         ` Lukas Straub
2020-08-20 13:08           ` Jeff King
2020-08-19 19:22     ` Lukas Straub
2020-08-19 18:47   ` Lukas Straub
2020-08-19 19:16     ` Randall S. Becker
2020-08-20 11:46       ` Lukas Straub

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='04aa01d67659$2dc217b0$89464710$@nexbridge.com' \
    --to=rsbecker@nexbridge.com \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=bwilliams.eng@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=lukasstraub2@web.de \
    --cc=newren@gmail.com \
    --cc=peff@peff.net \
    --subject='RE: [RFC PATCH 0/2] Allow adding .git files and directories' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).