From: "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
Jeff King <peff@peff.net>,
Johannes Schindelin <johannes.schindelin@gmx.de>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: [PATCH v3 3/6] Revert "core.hooksPath: add some protection while cloning"
Date: Mon, 20 May 2024 20:22:02 +0000 [thread overview]
Message-ID: <57db89a14977bdff01f8f82cb4d6f85cc49d4b55.1716236526.git.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.1732.v3.git.1716236526.gitgitgadget@gmail.com>
From: Johannes Schindelin <johannes.schindelin@gmx.de>
This defense-in-depth was intended to protect the clone operation
against future escalations where bugs in `git clone` would allow
attackers to write arbitrary files in the `.git/` directory would allow
for Remote Code Execution attacks via maliciously-placed hooks.
However, it turns out that the `core.hooksPath` protection has
unintentional side effects so severe that they do not justify the
benefit of the protections. For example, it has been reported in
https://lore.kernel.org/git/FAFA34CB-9732-4A0A-87FB-BDB272E6AEE8@alchemists.io/
that the following invocation, which is intended to make `git clone`
safer, is itself broken by that protective measure:
git clone --config core.hooksPath=/dev/null <url>
Since it turns out that the benefit does not justify the cost, let's revert
20f3588efc6 (core.hooksPath: add some protection while cloning,
2024-03-30).
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
config.c | 13 +------------
t/t1800-hook.sh | 15 ---------------
2 files changed, 1 insertion(+), 27 deletions(-)
diff --git a/config.c b/config.c
index 85b37f2ee09..8c1c4071f0d 100644
--- a/config.c
+++ b/config.c
@@ -1525,19 +1525,8 @@ static int git_default_core_config(const char *var, const char *value, void *cb)
if (!strcmp(var, "core.attributesfile"))
return git_config_pathname(&git_attributes_file, var, value);
- if (!strcmp(var, "core.hookspath")) {
- if (current_config_scope() == CONFIG_SCOPE_LOCAL &&
- git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0))
- die(_("active `core.hooksPath` found in the local "
- "repository config:\n\t%s\nFor security "
- "reasons, this is disallowed by default.\nIf "
- "this is intentional and the hook should "
- "actually be run, please\nrun the command "
- "again with "
- "`GIT_CLONE_PROTECTION_ACTIVE=false`"),
- value);
+ if (!strcmp(var, "core.hookspath"))
return git_config_pathname(&git_hooks_path, var, value);
- }
if (!strcmp(var, "core.bare")) {
is_bare_repository_cfg = git_config_bool(var, value);
diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh
index 7ee12e6f48a..2ef3579fa7c 100755
--- a/t/t1800-hook.sh
+++ b/t/t1800-hook.sh
@@ -177,19 +177,4 @@ test_expect_success 'git hook run a hook with a bad shebang' '
test_cmp expect actual
'
-test_expect_success 'clone protections' '
- test_config core.hooksPath "$(pwd)/my-hooks" &&
- mkdir -p my-hooks &&
- write_script my-hooks/test-hook <<-\EOF &&
- echo Hook ran $1
- EOF
-
- git hook run test-hook 2>err &&
- grep "Hook ran" err &&
- test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \
- git hook run test-hook 2>err &&
- grep "active .core.hooksPath" err &&
- ! grep "Hook ran" err
-'
-
test_done
--
gitgitgadget
next prev parent reply other threads:[~2024-05-20 21:13 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-17 23:15 [PATCH 0/8] Various fixes for v2.45.1 and friends Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 1/8] hook: plug a new memory leak Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 2/8] init: use the correct path of the templates directory again Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 3/8] Revert "core.hooksPath: add some protection while cloning" Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 4/8] tests: verify that `clone -c core.hooksPath=/dev/null` works again Johannes Schindelin via GitGitGadget
2024-05-18 0:10 ` Junio C Hamano
2024-05-18 18:58 ` Johannes Schindelin
2024-05-17 23:15 ` [PATCH 5/8] hook(clone protections): add escape hatch Johannes Schindelin via GitGitGadget
2024-05-18 0:21 ` Junio C Hamano
2024-05-17 23:15 ` [PATCH 6/8] hooks(clone protections): special-case current Git LFS hooks Johannes Schindelin via GitGitGadget
2024-05-18 0:20 ` Junio C Hamano
2024-05-17 23:15 ` [PATCH 7/8] hooks(clone protections): simplify templates hooks validation Johannes Schindelin via GitGitGadget
2024-05-17 23:15 ` [PATCH 8/8] Revert "Add a helper function to compare file contents" Johannes Schindelin via GitGitGadget
2024-05-17 23:52 ` [PATCH 0/8] Various fixes for v2.45.1 and friends Junio C Hamano
2024-05-18 0:02 ` Johannes Schindelin
2024-05-18 10:32 ` [PATCH v2 " Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 1/8] hook: plug a new memory leak Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 2/8] init: use the correct path of the templates directory again Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 3/8] Revert "core.hooksPath: add some protection while cloning" Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 4/8] tests: verify that `clone -c core.hooksPath=/dev/null` works again Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 5/8] hook(clone protections): add escape hatch Johannes Schindelin via GitGitGadget
2024-05-18 18:14 ` Jeff King
2024-05-18 18:54 ` Junio C Hamano
2024-05-18 19:35 ` Jeff King
2024-05-18 19:37 ` Johannes Schindelin
2024-05-18 19:32 ` Johannes Schindelin
2024-05-18 19:47 ` Jeff King
2024-05-18 20:06 ` Johannes Schindelin
2024-05-18 21:12 ` Jeff King
2024-05-19 1:15 ` Junio C Hamano
2024-05-20 16:05 ` Johannes Schindelin
2024-05-20 18:18 ` Junio C Hamano
2024-05-20 19:38 ` Johannes Schindelin
2024-05-20 20:07 ` Junio C Hamano
2024-05-20 21:03 ` Johannes Schindelin
2024-05-18 10:32 ` [PATCH v2 6/8] hooks(clone protections): special-case current Git LFS hooks Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 7/8] hooks(clone protections): simplify templates hooks validation Johannes Schindelin via GitGitGadget
2024-05-18 10:32 ` [PATCH v2 8/8] Revert "Add a helper function to compare file contents" Johannes Schindelin via GitGitGadget
2024-05-18 17:07 ` [PATCH v2 0/8] Various fixes for v2.45.1 and friends Junio C Hamano
2024-05-18 19:22 ` Johannes Schindelin
2024-05-18 20:13 ` Johannes Schindelin
2024-05-20 20:21 ` [PATCH v3 0/6] " Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 1/6] hook: plug a new memory leak Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 2/6] init: use the correct path of the templates directory again Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` Johannes Schindelin via GitGitGadget [this message]
2024-05-20 20:22 ` [PATCH v3 4/6] tests: verify that `clone -c core.hooksPath=/dev/null` works again Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 5/6] clone: drop the protections where hooks aren't run Johannes Schindelin via GitGitGadget
2024-05-20 20:22 ` [PATCH v3 6/6] Revert "Add a helper function to compare file contents" Johannes Schindelin via GitGitGadget
2024-05-20 23:56 ` [PATCH v3 0/6] Various fixes for v2.45.1 and friends Junio C Hamano
2024-05-21 5:33 ` Junio C Hamano
2024-05-21 18:14 ` Junio C Hamano
2024-05-21 22:33 ` brian m. carlson
2024-05-21 22:40 ` Junio C Hamano
2024-05-21 23:04 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57db89a14977bdff01f8f82cb4d6f85cc49d4b55.1716236526.git.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=git@vger.kernel.org \
--cc=johannes.schindelin@gmx.de \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).