From: Jeff King <peff@peff.net>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: Michael McClimon <michael@mcclimon.org>, git@vger.kernel.org
Subject: Re: [PATCH v2 2/2] setup: allow Git.pm to do unsafe repo checking
Date: Sat, 22 Oct 2022 16:55:59 -0400 [thread overview]
Message-ID: <Y1RY38RULkqd9pBN@coredump.intra.peff.net> (raw)
In-Reply-To: <221022.86eduzeiek.gmgdl@evledraar.gmail.com>
On Sat, Oct 22, 2022 at 09:45:14PM +0200, Ævar Arnfjörð Bjarmason wrote:
> The vulnerability safe.directory was supposed to address was one where
> you'd set your fsmonitor hook via a config variable, so running "diff",
> "status" etc. would unexpectedly execute arbitrary code.
>
> Especially on Windows where apparently the equivalent of the root of a
> shared mounted volume routinely has global write permissions (user's
> subdirectories being less permissive).
>
> An alternative I raised on the security list was to narrowly target just
> the fsmonitor config, since that was the vulnerability.
>
> [...]
>
> I'm unaware of any other variable(s) that provide a similar vector, and
> safe.directory is encouraging users (especially in core.sharedRepository
> settings) to mark a dir as "safe", and we'd then later have an exploit
> from a user with rw access who'd use the fsmonitor hook vector.
Here are a few off the top of my head that you can trigger via git-diff:
- core.pager will run an arbitrary program
- pager.diff will run an arbitrary program
- diff.*.textconv runs an arbitrary program; you need matching
.gitattributes, but those are under the control of the repository.
(not diff.*.command, though, as you need to pass --ext-diff)
- browser/man paths if you run "git diff --help"
And of course as you expand the set of commands there are more options.
E.g., credential helper commands if you do anything that wants auth,
interactive diff-filter for "add -p", hooks for git-commit, git-push,
etc. Those commands are less likely to be run in an untrusted repository
than inspection commands like "status" or "diff", but the boundary is
getting quite fuzzy.
fsmonitor _might_ be the only one that is triggered by git-prompt.sh,
because it has a limited command palette, generally reads (or sends to
/dev/null) the stdout of commands (preventing pager invocation), and
doesn't do text diffs (so no textconv). Even if true, I'm not sure if
that's a good place to draw the line, though. People do tend to run "git
log" themselves.
-Peff
next prev parent reply other threads:[~2022-10-22 20:57 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-16 21:22 [PATCH 0/1] Git.pm: add semicolon after catch statement Michael McClimon
2022-10-16 21:22 ` [PATCH 1/1] " Michael McClimon
2022-10-16 23:18 ` Jeff King
2022-10-17 2:17 ` Michael McClimon
2022-10-17 17:34 ` Jeff King
2022-10-18 1:39 ` Michael McClimon
2022-11-10 15:10 ` Johannes Schindelin
2022-11-10 21:41 ` Jeff King
2022-10-22 1:19 ` [PATCH v2 0/2] Fix behavior of Git.pm in unsafe bare repositories Michael McClimon
2022-10-22 1:19 ` [PATCH v2 1/2] Git.pm: add semicolon after catch statement Michael McClimon
2022-10-22 1:19 ` [PATCH v2 2/2] setup: allow Git.pm to do unsafe repo checking Michael McClimon
2022-10-22 5:29 ` Junio C Hamano
2022-10-22 21:18 ` Jeff King
2022-10-22 23:17 ` Junio C Hamano
2022-10-22 19:45 ` Ævar Arnfjörð Bjarmason
2022-10-22 20:55 ` Jeff King [this message]
2022-10-24 10:57 ` Ævar Arnfjörð Bjarmason
2022-10-24 23:38 ` Jeff King
2022-10-22 21:16 ` Jeff King
2022-10-22 22:08 ` Jeff King
2022-10-22 23:19 ` Michael McClimon
2022-10-24 23:33 ` Jeff King
2022-10-22 23:14 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1RY38RULkqd9pBN@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=michael@mcclimon.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).